Rapid7 Vulnerability & Exploit Database

BMC Patrol Agent Privilege Escalation Cmd Execution

Back to Search

BMC Patrol Agent Privilege Escalation Cmd Execution



This module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verfies that the password of the provided user is correct. This also means if the software is running on a domain controller, it can be used to escalate from a normal domain user to domain admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses powershell to execute the payload. The powershell version tends to timeout on the first run so it may take multiple tries.


  • b0yd




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/misc/bmc_patrol_cmd_exec
msf exploit(bmc_patrol_cmd_exec) > show targets
msf exploit(bmc_patrol_cmd_exec) > set TARGET < target-id >
msf exploit(bmc_patrol_cmd_exec) > show options
    ...show and set options...
msf exploit(bmc_patrol_cmd_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security