module

HP OpenView Network Node Manager execvp_nc Buffer Overflow

Try Surface Command
Back to search
Disclosed
Jul 20, 2010
Created
May 30, 2018

Description

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53
prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'
parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can
cause a stack-based buffer overflow and execute arbitrary code.

This vulnerability is not triggerable via a GET request due to limitations on the
request size. The buffer being targeted is 16384 bytes in size. There are actually two
adjacent buffers that both get overflowed (one into the other), and strcat is used.

The vulnerable code is within the "execvp_nc" function within "ov.dll" prior to
v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by
overwriting the saved return address or SEH frame.

This vulnerability might also be triggerable via other CGI programs, however this was
not fully investigated.

Authors

Shahin Ramezany [email protected]
sinn3r [email protected]
jduck [email protected]

Platform

Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/windows/http/hp_nnm_webappmon_execvp
    msf exploit(hp_nnm_webappmon_execvp) > show targets
        ...targets...
    msf exploit(hp_nnm_webappmon_execvp) > set TARGET < target-id >
    msf exploit(hp_nnm_webappmon_execvp) > show options
        ...show and set options...
    msf exploit(hp_nnm_webappmon_execvp) > exploit
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report