Rapid7 Vulnerability & Exploit Database

HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow

Back to Search

HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow



This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow a stack buffer and execute arbitrary code. The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is declared within this function. When the vulnerability is triggered, the stack trace looks like the following: #0 ... #1 sprintf_new(local_stack_buf, fmt, cookie); #2 OvWwwDebug(" HTTP_COOKIE=%s\n", cookie); #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x); #4 sub_405ee0("nnm", "webappmon"); No validation is done on the cookie argument. There are no stack cookies, so exploitation is easily achieved by overwriting the saved return address or SEH frame. The original advisory detailed an attack vector using the "OvJavaLocale" cookie being passed in a request to "webappmon.exe". Further research shows that several different cookie values, as well as several different CGI applications, can be used. '


  • Nahuel Riva
  • sinn3r <sinn3r@metasploit.com>
  • jduck <jduck@metasploit.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/http/hp_nnm_webappmon_ovjavalocale
msf exploit(hp_nnm_webappmon_ovjavalocale) > show targets
msf exploit(hp_nnm_webappmon_ovjavalocale) > set TARGET < target-id >
msf exploit(hp_nnm_webappmon_ovjavalocale) > show options
    ...show and set options...
msf exploit(hp_nnm_webappmon_ovjavalocale) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security