Rapid7 Vulnerability & Exploit Database

HP OpenView Network Node Manager execvp_nc Buffer Overflow

Back to Search

HP OpenView Network Node Manager execvp_nc Buffer Overflow



This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel' parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is not triggerable via a GET request due to limitations on the request size. The buffer being targeted is 16384 bytes in size. There are actually two adjacent buffers that both get overflowed (one into the other), and strcat is used. The vulnerable code is within the "execvp_nc" function within "ov.dll" prior to v There are no stack cookies, so exploitation is easily achieved by overwriting the saved return address or SEH frame. This vulnerability might also be triggerable via other CGI programs, however this was not fully investigated.


  • Shahin Ramezany <shahin@abysssec.com>
  • sinn3r <sinn3r@metasploit.com>
  • jduck <jduck@metasploit.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/hp_nnm_webappmon_execvp
msf exploit(hp_nnm_webappmon_execvp) > show targets
msf exploit(hp_nnm_webappmon_execvp) > set TARGET < target-id >
msf exploit(hp_nnm_webappmon_execvp) > show options
    ...show and set options...
msf exploit(hp_nnm_webappmon_execvp) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security