New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-12557: HPE Intelligent Management Center Java Deserialization RCE #10947
Conversation
HP Intelligent Management Java Deserialization RCE (Windows)
Please add documentation, see https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md Also, the PR queue is rather high right now. Not sure when someone will get to this (although it may peek someone's interest), so it may be a few weeks till a final review to land will happen. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use two spaces for indentation
Co-Authored-By: carmaa <carsten@carmaa.com>
Co-Authored-By: carmaa <carsten@carmaa.com>
Co-Authored-By: carmaa <carsten@carmaa.com>
Co-Authored-By: carmaa <carsten@carmaa.com>
Co-Authored-By: carmaa <carsten@carmaa.com>
Thanks. The updates look good to me from a quick read through the code, although I have a few comments (see above). Once you're happy with the module (pending #10947 (comment) and review comments), please add documentation. |
Co-Authored-By: carmaa <carsten@carmaa.com>
Fixed if/else block return Co-Authored-By: carmaa <carsten@carmaa.com>
Print payload length Co-Authored-By: carmaa <carsten@carmaa.com>
Allright, documentation added in eab26a0. Thanks for all the help so far @bcoles ! |
Jenkins test this please. |
After discussing it with @jrobles-r7, I'm going to take point on this one. |
@carmaa: The module works great! I would suggest setting the Also, I see you've used Thanks! |
Looks like the sanity checks are suffering they're scheduled weekend insanity. As usual, this warning can be ignored. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@asoto-r7: The process to create the payload was not straight-forward, that's why #10057 is a great idea. In the JSON1 payload specifically, there are several bytes that are dependent on the length of the command, so I had to find those bytes by trial and error. But the command that was used to create the serialised object was |
@carmaa: Thanks for the module, and for the help. After having to retrace your steps, I can say I definitely appreciate your comment about finding the payload offsets "by trial and error". I documented my reproduction steps in the comments of the module to help the next person. :-) |
Release NotesThe HP Intelligent Management Java Deserialization RCE module has been added to the framework. This exploits a Java deserialization vulnerability in HP Enterprise Intelligent Management Center PLAT version 7.3 E0504P2, providing a command-line or Meterpreter shell on the target. |
Adds an exploit module for HPE Intelligent Management Center Java Deserialization RCE (Windows).
Test env setup
On a Windows machine, download and install HPE IMC from here:
https://h10145.www1.hpe.com/downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19066&ProductNumber=JG748AAE&lang=&cc=&prodSeriesId=&SaidNumber=
You need .Net 2.0, but that's the only dependency.
Make sure to follow any instructions on setting up SSL correctly (certain cipher suites does not play well with the software). These instructions may vary depending on the win version you set it up on. On a Windows Server 2012 R2 I had to disable certain cipher suites.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/http/hp_imc_java_deserialize
Sample output