Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-1542 PoC — BMC Software BladeLogic Server Automation Suite RSCD Agent 安全漏洞

Source
https://github.com/bao7uo/bmc_bladelogic
Associated Vulnerability
Title:BMC Software BladeLogic Server Automation Suite RSCD Agent 安全漏洞 (CVE-2016-1542)
Description:The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and enumerate users by sending an action packet to xmlrpc after an authorization failure.
Description
BMC Bladelogic RSCD exploits including remote code execution - CVE-2016-1542, CVE-2016-1543, CVE-2016-5063
Readme
# BMC Bladelogic RSCD remote exploits for Linux and Windows
## Change passwords, List users and Remote code execution
Exploiting vulnerabilities in BMC BladeLogic RSCD agent
- CVE-2016-1542 (BMC-2015-0010)
- CVE-2016-1543 (BMC-2015-0011)
- CVE-2016-5063

## Published on exploit-db
- BMC_rexec.py
    - https://www.exploit-db.com/exploits/43902/
- BMC_winUsers.py
    - https://www.exploit-db.com/exploits/43934/

## BMC_rexec.py Overview

This method of remote execution was achieved by doing my own research - it is performed using XMLRPC and has only been tested against Windows. The script will hang, but the command should execute.

![rexec poc](images/BMC_rexec.png)

Nick Bloor has a much better execution exploit using a different technique:
- https://github.com/NickstaDB/PoC/tree/master/BMC_RSCD_RCE
- https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/
- https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/
- https://www.tenable.com/plugins/index.php?view=single&id=91947

## BMC_winUsers.py Overview

After some research I was able to pull Windows users from the Windows BMC agent over XML RPC, so I adapted the getUsers file from ernw/insinuator to make a Windows version (see the following screenshot). I also modified the ernw/insinuator version to make it a dual platform exploit.

![winUsers poc](images/BMC_winUsers.png)

## Credits

My exploits are adapted from https://github.com/ernw/insinuator-snippets/tree/master/bmc_bladelogic
- https://www.insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/

Thanks to Nick Bloor for AWS image for testing.

## Vendor links

- https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-windows-rscd-agent-vulnerability-in-bmc-server-automation-cve-2016-5063
- https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543
File Snapshot

 [4.0K]  /data/pocs/c66d81d4797dd3387690153de0e636f5ff7a74d1
├── [4.2K]  BMC_changePwd.py
├── [ 10K]  BMC_getUsers.py
├── [3.4K]  BMC_rexec.py
├── [6.2K]  BMC_winUsers.py
├── [4.0K]  images
│   ├── [ 54K]  BMC_rexec.png
│   └── [ 74K]  BMC_winUsers.png
└── [1.9K]  README.md

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →