CVE-2009-2685
published 2009-11-06CVE-2009-2685: Stack-based buffer overflow in the login form in the management web server in HP Power Manager allows remote attackers to execute arbitrary code via the Login…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
76.71%
99.5th percentile
Stack-based buffer overflow in the login form in the management web server in HP Power Manager allows remote attackers to execute arbitrary code via the Login variable.
Detection & IOCsextracted from sources · hover to see the quote
url/goform/formLogin
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/goform/formLogin"; nocase; http.request_body; content:"Login="; nocase; content:!"|0A|"; within:300; isdataat:300,relative; pcre:"/Login=[^\r\n]{300}/i"; reference:url,www.securityfocus.com/bid/36933; reference:cve,2009-2685; classtype:web-application-attack; sid:2010699; rev:8;)- →Exploit sends an HTTP POST to /goform/formLogin with an overly long Login parameter (>300 bytes, up to 2024 bytes) to trigger the stack buffer overflow. ↗
- →The Emergent Threats Snort/Suricata rule (sid:2010699) triggers on POST to /goform/formLogin where the Login= body parameter is 300+ bytes with no newline — use this as a detection threshold.
- →The exploit payload uses alphanumeric-encoded shellcode (PexAlphaNum encoder) with bad characters \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c — inspect Login parameter for long alphanumeric strings lacking these bytes. ↗
- →The exploit targets msvcp60.dll for its return address gadget (JMP ESP / pop-pop-ret); presence of msvcp60.dll addresses in stack traces or crash dumps is indicative of exploitation. ↗
- →Reverse shell spawned by the exploit connects back to the attacker on port 4444; monitor for outbound connections from the HP Power Manager process to port 4444. ↗
- →The exploit sets a large negative stack adjustment (StackAdjustment -3500) prepended as \x81\xc4\xff\xef\xff\xff\x44; this byte sequence in the Login payload is a strong exploit indicator. ↗
- ·HP originally patched this in version 4.2.10, but Tenable confirmed the fix was incomplete and the same root vulnerability persisted; version 4.3.2 is the actual fix. Detection should not assume 4.2.10 is safe. ↗
- ·The ET Snort rule (sid:2010699) is marked confidence:Low — it may produce false positives on legitimate long Login values; tune threshold accordingly.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt
suricata·2010-07-30
CVE-2009-2685 ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt
ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/goform/formLogin"; nocase; http.request_body; content:"Login="; nocase; content:!"|0A|"; within:300; isdataat:300,relative; pcre:"/Login=[^\r\n]{300}/i"; reference:url,www.securityfocus.com/bid/36933; reference:cve,2009-2685; classtype:web-application-attack; sid:2010699; rev:8; metadata:created_at 2010_07_30, cve CVE_2009_2685, confidence Low, signature_severity Major, updated_at 2020_09_04;)
Exploit-DB
Hewlett-Packard (HP) Power Manager Administration - Remote Buffer Overflow (Metasploit)
exploitdb·2010-11-24
CVE-2009-2685 Hewlett-Packard (HP) Power Manager Administration - Remote Buffer Overflow (Metasploit)
Hewlett-Packard (HP) Power Manager Administration - Remote Buffer Overflow (Metasploit)
---
##
# $Id: hp_power_manager_login.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Hewlett-Packard Power Manager Administration Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2.
Sending a specially crafted POST request with an overly long Login string, an
attacker may be able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_
Exploit-DB
Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow
exploitdb·2009-11-16
CVE-2009-2685 Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow
Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow
---
#!/usr/bin/python
# HP Power Manager Administration Universal Buffer Overflow Exploit
# CVE 2009-2685
# Tested on Win2k3 Ent SP2 English, Win XP Sp2 English
# Matteo Memelli ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 07/11/2009
#
# ryujin@bt:~$ ./hppowermanager.py 172.16.30.203
# HP Power Manager Administration Universal Buffer Overflow Exploit
# ryujin __A-T__ offensive-security.com
# [+] Sending evil buffer...
# HTTP/1.0 200 OK
# [+] Done!
# [*] Check your shell at 172.16.30.203:4444 , can take up to 1 min to spawn your shell
# ryujin@bt:~$ nc -v 172.16.30.203 4444
# 172.16.30.203: inverse host lookup failed: Unknown server erro
Exploit-DB
UltraISO 9.3.3.2685 - CCD/IMG Universal Buffer Overflow
exploitdb·2009-04-03
CVE-2009-1260 UltraISO 9.3.3.2685 - CCD/IMG Universal Buffer Overflow
UltraISO 9.3.3.2685 - CCD/IMG Universal Buffer Overflow
---
#!/usr/bin/perl
#
# UltraISO s.img"); #Important: IMG filename must be same as CCD filename.
binmode $img_file;
print $img_file $img_data1.
$overflow1.
$img_data2.
$overflow1.
$img_data3.
$overflow1.
$img_data4;
close $img_file;
open (my $ccd_file, "> s.ccd");
print $ccd_file $ccd_data.
$lookout.$shellcode.$overflow2.$shellhunter.$overflow3.$sehjmp.$sehret.$overflow4;
close $ccd_file;
# milw0rm.com [2009-04-03]
Metasploit
Hewlett-Packard Power Manager Administration Buffer Overflow
metasploit
Hewlett-Packard Power Manager Administration Buffer Overflow
Hewlett-Packard Power Manager Administration Buffer Overflow
This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2. Sending a specially crafted POST request with an overly long Login string, an attacker may be able to execute arbitrary code.
http://marc.info/?l=bugtraq&m=125744000032141&w=2http://secunia.com/advisories/37276http://securitytracker.com/id?1023140http://www.osvdb.org/59684http://www.securityfocus.com/archive/1/507708/100/0/threadedhttp://www.securityfocus.com/bid/36933http://www.vupen.com/english/advisories/2009/3154http://www.zerodayinitiative.com/advisories/ZDI-09-081/http://marc.info/?l=bugtraq&m=125744000032141&w=2http://secunia.com/advisories/37276http://securitytracker.com/id?1023140http://www.osvdb.org/59684http://www.securityfocus.com/archive/1/507708/100/0/threadedhttp://www.securityfocus.com/bid/36933http://www.vupen.com/english/advisories/2009/3154http://www.zerodayinitiative.com/advisories/ZDI-09-081/
2009-11-06
Published