module

HP OpenView Network Node Manager execvp_nc Buffer Overflow

Try Surface Command
Back to search
Disclosed
2010-07-20
Created
2018-05-30

Description

This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53
prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'
parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can
cause a stack-based buffer overflow and execute arbitrary code.

This vulnerability is not triggerable via a GET request due to limitations on the
request size. The buffer being targeted is 16384 bytes in size. There are actually two
adjacent buffers that both get overflowed (one into the other), and strcat is used.

The vulnerable code is within the "execvp_nc" function within "ov.dll" prior to
v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by
overwriting the saved return address or SEH frame.

This vulnerability might also be triggerable via other CGI programs, however this was
not fully investigated.

Authors

Shahin Ramezany shahin@abysssec.com
sinn3r sinn3r@metasploit.com
jduck jduck@metasploit.com

Platform

Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/windows/http/hp_nnm_webappmon_execvp
    msf exploit(hp_nnm_webappmon_execvp) > show targets
        ...targets...
    msf exploit(hp_nnm_webappmon_execvp) > set TARGET < target-id >
    msf exploit(hp_nnm_webappmon_execvp) > show options
        ...show and set options...
    msf exploit(hp_nnm_webappmon_execvp) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today