漏洞平台

POC详情： c66d81d4797dd3387690153de0e636f5ff7a74d1

来源

https://github.com/bao7uo/bmc_bladelogic

关联漏洞

标题： BMC Software BladeLogic Server Automation Suite RSCD Agent 安全漏洞 (CVE-2016-1542)
描述：BMC BladeLogic Server Automation（BSA）是美国BMC Software公司的一套用于服务器自动化管理、控制和配置的解决方案。该方案支持所有操作系统以及虚拟化和云计算平台自动安装、配置操作系统等。基于Linux和UNIX平台的BMC BSA的RSCD代理中的RPC API存在安全漏洞。远程攻击者可通过在身份验证失败后向xmlrpc发送action数据包利用该漏洞绕过身份验证，枚举用户。以下版本受到影响：BMC BSA 8.2.x版本，8.3.x版本，8.5.x版本，8.6

描述

BMC Bladelogic RSCD exploits including remote code execution - CVE-2016-1542, CVE-2016-1543, CVE-2016-5063

介绍

# BMC Bladelogic RSCD remote exploits for Linux and Windows
## Change passwords, List users and Remote code execution
Exploiting vulnerabilities in BMC BladeLogic RSCD agent
- CVE-2016-1542 (BMC-2015-0010)
- CVE-2016-1543 (BMC-2015-0011)
- CVE-2016-5063

## Published on exploit-db
- BMC_rexec.py
    - https://www.exploit-db.com/exploits/43902/
- BMC_winUsers.py
    - https://www.exploit-db.com/exploits/43934/

## BMC_rexec.py Overview

This method of remote execution was achieved by doing my own research - it is performed using XMLRPC and has only been tested against Windows. The script will hang, but the command should execute.

![rexec poc](images/BMC_rexec.png)

Nick Bloor has a much better execution exploit using a different technique:
- https://github.com/NickstaDB/PoC/tree/master/BMC_RSCD_RCE
- https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/
- https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/
- https://www.tenable.com/plugins/index.php?view=single&id=91947

## BMC_winUsers.py Overview

After some research I was able to pull Windows users from the Windows BMC agent over XML RPC, so I adapted the getUsers file from ernw/insinuator to make a Windows version (see the following screenshot). I also modified the ernw/insinuator version to make it a dual platform exploit.

![winUsers poc](images/BMC_winUsers.png)

## Credits

My exploits are adapted from https://github.com/ernw/insinuator-snippets/tree/master/bmc_bladelogic
- https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/

Thanks to Nick Bloor for AWS image for testing.

## Vendor links

- https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-windows-rscd-agent-vulnerability-in-bmc-server-automation-cve-2016-5063
- https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543

文件快照


 [4.0K]  /data/pocs/c66d81d4797dd3387690153de0e636f5ff7a74d1
├── [4.2K]  BMC_changePwd.py
├── [ 10K]  BMC_getUsers.py
├── [3.4K]  BMC_rexec.py
├── [6.2K]  BMC_winUsers.py
├── [4.0K]  images
│   ├── [ 54K]  BMC_rexec.png
│   └── [ 74K]  BMC_winUsers.png
└── [1.9K]  README.md

1 directory, 7 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。