Metasploit modules that can be used to exploit BMC products
-
BMC Patrol Agent Privilege Escalation Cmd Execution
Disclosure Date: 2019-01-17First seen: 2020-04-26exploit/multi/misc/bmc_patrol_cmd_execThis module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verfies that the password of the provided user is correct. This also means if the software is running on a domain controller, it can be used to escalate from a normal domain user to domain admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses powershell to execute the payload. The powershell version tends to timeout on the first run so it may take multiple tries. Authors: - b0yd -
BMC Server Automation RSCD Agent NSH Remote Command Execution
Disclosure Date: 2016-03-16First seen: 2020-04-26exploit/multi/misc/bmc_server_automation_rscd_nsh_rceThis module exploits a weak access control check in the BMC Server Automation RSCD agent that allows arbitrary operating system commands to be executed without authentication. Note: Under Windows, non-powershell commands may need to be prefixed with 'cmd /c'. Authors: - Olga Yanushkevich, ERNW <@yaole0> - Nicky Bloor (@NickstaDB) <nick@nickbloor.co.uk> -
BMC Server Automation RSCD Agent NSH Remote Command Execution
Disclosure Date: 2016-03-16First seen: 2020-04-26exploit/multi/misc/bmc_server_automation_rscd_nsh_rceThis module exploits a weak access control check in the BMC Server Automation RSCD agent that allows arbitrary operating system commands to be executed without authentication. Note: Under Windows, non-powershell commands may need to be prefixed with 'cmd /c'. Authors: - Olga Yanushkevich, ERNW <@yaole0> - Nicky Bloor (@NickstaDB) <nick@nickbloor.co.uk> -
BMC TrackIt! Unauthenticated Arbitrary User Password Change
Disclosure Date: 2014-12-09First seen: 2020-04-26auxiliary/scanner/http/bmc_trackit_passwd_resetThis module exploits a flaw in the password reset mechanism in BMC TrackIt! 11.3 and possibly prior versions. If the password reset service is configured to use a domain administrator (which is the recommended configuration), then domain credentials can be reset (such as domain Administrator). Authors: - bperry - jhart -
BMC / Numara Track-It! Domain Administrator and SQL Server User Password Disclosure
Disclosure Date: 2014-10-07First seen: 2020-04-26auxiliary/gather/trackit_sql_domain_credsThis module exploits an unauthenticated configuration retrieval .NET remoting service in Numara / BMC Track-It! v9 to v11.X, which can be abused to retrieve the Domain Administrator and the SQL server user credentials. This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107, 10.0.0.143 and 9.0.30.248. Authors: - Pedro Ribeiro <pedrib@gmail.com> -
Numara / BMC Track-It! FileStorageService Arbitrary File Upload
Disclosure Date: 2014-10-07First seen: 2020-04-26exploit/windows/http/trackit_file_uploadThis module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It! v8 to v11.X. The application exposes the FileStorageService .NET remoting service on port 9010 (9004 for version 8) which accepts unauthenticated uploads. This can be abused by a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary code execution as NETWORK SERVICE or SYSTEM. This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107, 10.0.0.143, 9.0.30.248 and 8.0.2.51. Authors: - Pedro Ribeiro <pedrib@gmail.com>
6 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details