mirror of https://github.com/rapid7/metasploit-framework synced 2024-07-18 18:31:41 +02:00

History

Spencer McIntyre 278d940fee Update the Python exploit code to fix a bug		2021-11-02 10:10:18 -04:00
..
cve_2021_38648.py	Update the Python exploit code to fix a bug	2021-11-02 10:10:18 -04:00
README.md	Update the Python exploit code to fix a bug	2021-11-02 10:10:18 -04:00

README.md

CVE-2021-38648 Microsoft OMI Management Interface Authentication Bypass

This is an LPE exploit for CVE-2021-38648

Usage

usage: cve_2021_38648.py [-h] [-s SOCKET_PATH] [--timeout TIMEOUT] command

positional arguments:
  command               the command to run

optional arguments:
  -h, --help            show this help message and exit
  -s SOCKET_PATH, --socket SOCKET_PATH
                        socket file
  --timeout TIMEOUT     response timeout

The exploit will exit with a status of 0 on success. The command is limited to 256 characters in length due to the hardcoded messages that are exchanged. To increase this, generate a new series of messages using the strace command below, search for the second writev syscall and extract each iovec instance. There should be six in total, and the first 4 bytes of each should be consistent.

The hardcoded messages were recovered using:

strace -v -s 5000 -f -xx -e trace=socket,connect,write,writev,close \
  /opt/omi/bin/omicli iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command '...' timeout 0 }

It is important that the exploit wait on the socket for a response to be received. It doesn't need to be read, but the socket needs to be kept open until either the server closes it or the response is received.