Class: Metasploit::Framework::LoginScanner::ManageEngineDesktopCentral

Inherits:

HTTP

• Object
• HTTP
• Metasploit::Framework::LoginScanner::ManageEngineDesktopCentral

Defined in:

lib/metasploit/framework/login_scanner/manageengine_desktop_central.rb

Constant Summary

DEFAULT_PORT =

8020

PRIVATE_TYPES =

[ :password ]

LOGIN_STATUS =

Shorter name

Metasploit::Model::Login::Status

Constants inherited from HTTP

HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary

• #attempt_login(credential) ⇒ Result

  Attempts to login to MSP.

• #check_setup ⇒ false, String

  Checks if the target is ManageEngine Desktop Central.

• #get_hidden_inputs(res) ⇒ Hash

  Returns the hidden inputs.

• #get_login_state(username, password) ⇒ Hash

  Actually doing the login.

• #get_required_login_items ⇒ Hash

  Returns all the items needed to login.

• #get_sid(res) ⇒ String

  Returns the latest sid from MSP.

Methods inherited from HTTP

#authentication_required?, #send_request

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempts to login to MSP.

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Result) —

  A Result object indicating success or failure

# File 'lib/metasploit/framework/login_scanner/manageengine_desktop_central.rb', line 113

def attempt_login(credential)
  result_opts = {
    credential: credential,
    status: LOGIN_STATUS::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp',
    service_name: ssl ? 'https' : 'http',
  }

  begin
    result_opts.merge!(get_login_state(credential.public, credential.private))
  rescue ::Rex::ConnectionError => e
    # Something went wrong during login. 'e' knows what's up.
    result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
  end

  Result.new(result_opts)
end

#check_setup ⇒ false, String

Checks if the target is ManageEngine Desktop Central.

Returns:

• (false) —

  Indicates there were no errors

• (String) —

  a human-readable error message describing why this scanner can’t run

# File 'lib/metasploit/framework/login_scanner/manageengine_desktop_central.rb', line 20

def check_setup
  login_uri = normalize_uri("#{uri}/configurations.do")
  res = send_request({'uri' => login_uri})

  fingerprint = 'ManageEngine Desktop Central'
  if res && res.body.include?(fingerprint)
    return false
  end

  "Unable to locate \"#{fingerprint}\" in body. (Is this really ManageEngine Desktop Central?)"
end

#get_hidden_inputs(res) ⇒ Hash

Returns the hidden inputs

Parameters:

• res (Rex::Proto::Http::Response)

Returns:

• (Hash) —

  Input fields

# File 'lib/metasploit/framework/login_scanner/manageengine_desktop_central.rb', line 48

def get_hidden_inputs(res)
  found_inputs = {}
  res.body.scan(/(<input type="hidden" .+>)/).flatten.each do |input|
    name  = input.scan(/name="(\w+)"/).flatten[0] || ''
    value = input.scan(/value="([\w\.\-]+)"/).flatten[0] || ''
    found_inputs[name] = value
  end
  found_inputs
end

#get_login_state(username, password) ⇒ Hash

Actually doing the login. Called by #attempt_login

Parameters:

• username (String) —

  The username to try

• password (String) —

  The password to try

Returns:

• (Hash) —

  • :status [Metasploit::Model::Login::Status]

  • :proof [String] the HTTP response body

# File 'lib/metasploit/framework/login_scanner/manageengine_desktop_central.rb', line 80

def get_login_state(username, password)
  login_uri = normalize_uri("#{uri}/j_security_check")
  login_items = get_required_login_items

  res = send_request({
    'uri' => login_uri,
    'method' => 'POST',
    'cookie' => login_items['sid'],
    'vars_post' => {
      'j_username' => username,
      'j_password' => password,
      'Button' => 'Sign+in',
      'buildNum' => login_items['buildNum'],
      'clearCacheBuildNum' => login_items['clearCacheBuildNum']
    }
  })

  unless res
    return {:status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s}
  end

  if res.code == 302
    return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.to_s}
  end

  {:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s}
end

#get_required_login_items ⇒ Hash

Returns all the items needed to login

Returns:

• (Hash) —

  Login items

# File 'lib/metasploit/framework/login_scanner/manageengine_desktop_central.rb', line 62

def get_required_login_items
  items = {}
  login_uri = normalize_uri("#{uri}/configurations.do")
  res = send_request({'uri' => login_uri})
  return items unless res
  items.merge!({'sid' => get_sid(res)})
  items.merge!(get_hidden_inputs(res))
  items
end

#get_sid(res) ⇒ String

Returns the latest sid from MSP

Parameters:

• res (Rex::Proto::Http::Response)

Returns:

• (String) —

  The session ID for MSP

# File 'lib/metasploit/framework/login_scanner/manageengine_desktop_central.rb', line 36

def get_sid(res)
  cookies = res.get_cookies
  sid = cookies.scan(/(DCJSESSIONID=\w+);*/).flatten[0] || ''
  sid
end