Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add HPE iMC dbman RestartDB Unauthenticated RCE exploit #9376
Add HPE iMC dbman RestartDB Unauthenticated RCE exploit
List the steps needed to make sure this thing works
Hi @bcoles, it looks like HP is no longer hosting the vulnerable version of the software:
I actually got version 7.3 (E0506).
I will need to look around and see if I have one that's vulnerable.
@wchen-r7 It's worth noting that you may have to run the module a couple of times. I get a fail rate of about 1 in 10.
It's usually fairly reliable and doesn't crash the service, so I used
I thought the occasional failures were due to bad characters, but the payload is encoded and the exact same payload will fail one time but work another.
Similarly, while the exploit uses randomized junk strings of randomized length, these do not appear to be the cause of failure. Running the module with static strings of static length will still result in occasional failure.
The generated packets are well formed. During development, I noticed that malformed packets, including packets of an incorrect length, will cause the server to reject the connection. The exploit is stable, and the server never rejects the connection, indicating the packets are in fact well formed.
The exploit is fast and easy to re-execute. As such, I consider a 10% failure rate acceptable. I'm inclined to think the issue is due to the dbman service.
The same is true for the other iMC exploit #9377
@bcoles I tested the exploit 11 times in a row, and it never failed on me. Here's the log:
This module exploits a remote command execution vulnerablity in HP Enterprise Intelligent Management Center before version 7.3. The dbman service allows unauthenticated remote users to restart a user-specified database instance (OpCode 10008), however the instance ID is not sanitized, allowing execution of arbitrary operating system commands as SYSTEM.