ManageEngine ADSelfService Plus Custom Script Execution
Description
This module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. This module uses an attacker provided "admin" account to insert the malicious payload into the custom script fields. When a user resets their password or unlocks their account, the payload in the custom script will be executed. The payload will be executed as SYSTEM if ADSelfService Plus is installed as a service, which we believe is the normal operational behavior. This is a passive module because user interaction is required to trigger the payload. This module also does not automatically remove the malicious code from the remote target. Use the "TARGET_RESET" operation to remove the malicious custom script when you are done. ADSelfService Plus uses default credentials of "admin":"admin"
Author(s)
- Jake Baines
- Hernan Diaz
- Andrew Iwamaye
- Dan Kelley
Platform
Windows
Architectures
cmd
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810
msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > show targets
...targets...
msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > set TARGET < target-id >
msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > show options
...show and set options...
msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security