A rebuilt version of the exploit for CVE-2016-1542 and CVE-2016-1543 from insinuator.net# bladelogic_bmc-cve-2016-1542
A rebuilt version of the exploit for CVE-2016-1542 and CVE-2016-1543 from insinuator.net (https://insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/)
I recently came across systems vulnerable to this CVE in a recent penetration test and found exploits from insinuator - however for unknown reasons (change in Python requests functionality in newer versions?) the exploit wasn't working properly.
XMLRPC communication with the RSCD agent is done by:
- Connecting to the agent on port 4750 and send "TLSRPC" in cleartext
- Set up an SSL session
- Send any subsequent data through the established SSL session
The insinuator PoC code tries to do this by setting up a socket that's SSL wrapped and then have `urllib3` use that but some functionality in that seems to have changed in later versions. Looking around I found [this stackoverflow post](http://stackoverflow.com/questions/40722024/using-pythons-requests-module-with-an-pre-existing-socket) with code that seems oddly familiar. :)
The answer there was to use a custom transport adapter. Actually doing this was surprisingly complex (to me at least) for just being able to send 7 characters of cleartext before establishing an SSL connection, so I thought I might as well share what I came up with. Hopefully it works for others as well.
[4.0K] /data/pocs/01b0f5798bf6feea5cee3df911bd09d2a28d12d3
├── [4.9K] getUsers.py
├── [1.3K] README.md
└── [2.3K] RSCDAdapter.py
0 directories, 3 files