The dbman.exe module out of HP iMC PLAT 7.3 listening on TCP/2810 tries to initiate a restart of some
network services, whilst doing so running NET STOP on an asn.1 BER encoded ip address. Because of multiple
vulnerabilities within dbman, you can pass a string (BER encoded with dummy credentials) that is not
properly sanitized (detected as an, and only an, ip address). This leaves us to simply close the quote
and escape into being able to fork off any process we want using &. It is important to note that
authentication with dbman is not required to exploit this vulnerability.
The fist problem was generating the opcode and asn.1 allocation size dynamically. This can be done
with pack and sprintf in perl:
The problem needing a little more effort was figuring out what asn.1 BER encoded data it will accept.
We know it’s asn.1 BER because we can see the calls to the decoding function in ollydbg.
After trying for days with online BER encoding tools (BER is very dynamic, so getting the data+scheme
was a bit problematic), finally it was back to the drawing board and generated it from perl like so:
So now we have:
Which will generate our payload, which can be as simple as calc.exe.
It’s important to note that when calc pops, it will be running as SYSTEM, which is likely not
your GUI user… but that’s good for our purposes.
From here, it’s as simple as plugging in the reverse shell code to $payload.
Note: This payload only works if KB976932 service pack and DotNetFix 4.5 are installed on
the exploited host because of powershell requirements.
I ran it through a little data2c_hex.sh program, and added some spaces to get alignment correct.
Which leave us with the final weaponized version:
SYSTEM level powershell reverse acheived. Game over.