HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow
Description
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow a stack buffer and execute arbitrary code. The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is declared within this function. When the vulnerability is triggered, the stack trace looks like the following: #0 ... #1 sprintf_new(local_stack_buf, fmt, cookie); #2 OvWwwDebug(" HTTP_COOKIE=%s\n", cookie); #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x); #4 sub_405ee0("nnm", "webappmon"); No validation is done on the cookie argument. There are no stack cookies, so exploitation is easily achieved by overwriting the saved return address or SEH frame. The original advisory detailed an attack vector using the "OvJavaLocale" cookie being passed in a request to "webappmon.exe". Further research shows that several different cookie values, as well as several different CGI applications, can be used. '
Author(s)
- Nahuel Riva
- sinn3r <sinn3r@metasploit.com>
- jduck <jduck@metasploit.com>
Platform
Windows
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/http/hp_nnm_webappmon_ovjavalocale
msf exploit(hp_nnm_webappmon_ovjavalocale) > show targets
...targets...
msf exploit(hp_nnm_webappmon_ovjavalocale) > set TARGET < target-id >
msf exploit(hp_nnm_webappmon_ovjavalocale) > show options
...show and set options...
msf exploit(hp_nnm_webappmon_ovjavalocale) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security