Metasploit modules that can be used to exploit HP products

A remotely exploitable vulnerability exists within HPE System Insight Manager (SIM) version 7.6.x that can be leveraged by a remote unauthenticated attacker to execute code within the context of HPE System Insight Manager's hpsimsvc.exe process, which runs with administrative privileges. The vulnerability occurs due to a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page. This module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain RCE as the administrative user running HPE SIM. Authors: - Harrison Neal - Jang - Grant Willcox

More information

This module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products: Operations Bridge Manager, Application Performance Management, Data Center Automation, Universal CMDB, Hybrid Cloud Management and Service Management Automation. However this module was only tested on Operations Bridge Manager. Exploiting this vulnerability will result in remote code execution as the root user on Linux or the SYSTEM user on Windows. Authentication is required, the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module. Any authenticated user can exploit this vulnerability, even the lowest privileged ones. For more information refer to the advisory link below. Authors: - Pedro Ribeiro <pedrib@gmail.com>

More information

This module exploits two vulnerabilities, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. UCMDB included in versions 2020.05 and below of Operations Bridge Manager are affected, but this module can probably also be used to exploit Operations Bridge Manager (containerized) and Application Performance Management. Check the advisory and module documentation for details. The first vulnerability is a hardcoded password for the "diagnostics" user, which allows us to login to UCMDB. The second vulnerability is a run-of-the-mill Java deserialization, which can be exploited with ysoserial's CommonsBeanutils1 payload. Both Windows and Linux installations are vulnerable. Authors: - Pedro Ribeiro <pedrib@gmail.com>

More information

This module exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution. The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.

More information

This module leverages a flaw in `runc` to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the `runc` binary with the payload and wait for someone to use `docker exec` to get into the container. This will trigger the payload execution. Note that executing this exploit carries important risks regarding the Docker installation integrity on the target and inside the container ('Side Effects' section in the documentation).

More information

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebDMDebugServlet, which listens on TCP ports 8080 and 8443 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Authors: - Steven Seeley (mr_me) of Offensive Security - Carsten <Carsten @MaartmannMoe / cmm@transcendentgroup.com>

More information

This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer overflow in the Connection HTTP header handling by the web server. Exploiting this vulnerability gives full access to the REST API, allowing arbitrary accounts creation. Authors: - Fabien Perigaud <fabien.perigaud@synacktiv[dot]com>

More information

This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restart a user-specified database instance (OpCode 10008), however the instance ID is not sanitized, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. This module has been tested successfully on iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN). Authors: - sztivi - Chris Lyne - bcoles <bcoles@gmail.com>

More information

This module exploits a remote command execution vulnerablity in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restore a user-specified database (OpCode 10007), however the database connection username is not sanitized resulting in command injection, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. This module has been tested successfully on iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN). Authors: - sztivi - Chris Lyne - bcoles <bcoles@gmail.com>

More information

The module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. Impacted printers: HP PageWide Managed MFP P57750dw HP PageWide Managed P55250dw HP PageWide Pro MFP 577z HP PageWide Pro 552dw HP PageWide Pro MFP 577dw HP PageWide Pro MFP 477dw HP PageWide Pro 452dw HP PageWide Pro MFP 477dn HP PageWide Pro 452dn HP PageWide MFP 377dw HP PageWide 352dw HP OfficeJet Pro 8730 All-in-One Printer HP OfficeJet Pro 8740 All-in-One Printer HP OfficeJet Pro 8210 Printer HP OfficeJet Pro 8216 Printer HP OfficeJet Pro 8218 Printer Please read the module documentation regarding the possibility for leaving an unauthenticated telnetd service running as a side effect of this exploit. Authors: - Jacob Baines - Matthew Kienow <matthew_kienow[AT]rapid7.com>

More information

A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn't allowed to make queries. Authors: - Martin Rocha - Ezequiel Tavella - Alejandro Parodi - Infobyte Research Team

More information

This module exploits a well known remote code execution exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2. Authors: - Jon Barg - Ian Lovering

More information

This exploit takes advantage of xglance-bin, part of HP's Glance (or Performance Monitoring) version 11 'and subsequent' , which was compiled with an insecure RPATH option. The RPATH includes a relative path to -L/lib64/ which can be controlled by a user. Creating libraries in this location will result in an escalation of privileges to root. Authors: - h00die - Tim Brown - Robert Jaroszuk - Marco Ortisi

More information

This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be executed by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is a strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. Authors: - Christian Ramirez - Henoch Barrera - Matthew Hall <hallm@sec-1.com>

More information

Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die

More information

This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The vulnerability exists in the pmd service, due to the insecure usage of functions like strcpy and strcat while handling stack_option packets with user controlled data. In order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from the stack and finally build the ROP chain to avoid NX. Authors: - d(-_-)b - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a code execution flaw in HP AutoPass License Server. It abuses two weaknesses in order to get its objective. First, the AutoPass application doesn't enforce authentication in the CommunicationServlet component. Second, it's possible to abuse a directory traversal when uploading files thorough the same component, allowing to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50. Authors: - rgod <rgod@autistici.org> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code execution. The vulnerability exists in the EXEC_BAR operation, which allows to execute arbitrary processes. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2. Authors: - Aniway.Anyway <Aniway.Anyway@gmail.com> - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a directory traversal vulnerability in the Hewlett-Packard Data Protector product. The vulnerability exists in the Backup Client Service (OmniInet.exe) and is triggered when parsing packets with opcode 42. This module has been tested successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows XP SP3. Authors: - Brian Gorenc - juan vazquez <juan.vazquez@metasploit.com>

More information

This module exploits a code execution flaw in HP SiteScope. The vulnerability exists in the APISiteScopeImpl web service, specifically in the issueSiebelCmd method, which allows the user to execute arbitrary commands without authentication. This module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2, Windows 2008 and CentOS 6.5. Authors: - rgod <rgod@autistici.org> - juan vazquez <juan.vazquez@metasploit.com>

More information