module

ManageEngine ADSelfService Plus Custom Script Execution

Try Surface Command
Back to search
Disclosed
2022-04-09
Created
2022-04-21

Description

This module exploits the "custom script" feature of ADSelfService Plus. The
feature was removed in build 6122 as part of the patch for CVE-2022-28810.
For purposes of this module, a "custom script" is arbitrary operating system
command execution.

This module uses an attacker provided "admin" account to insert the malicious
payload into the custom script fields. When a user resets their password or
unlocks their account, the payload in the custom script will be executed.
The payload will be executed as SYSTEM if ADSelfService Plus is installed as
a service, which we believe is the normal operational behavior.

This is a passive module because user interaction is required to trigger the
payload. This module also does not automatically remove the malicious code from
the remote target. Use the "TARGET_RESET" operation to remove the malicious
custom script when you are done.

ADSelfService Plus uses default credentials of "admin":"admin"

Authors

Jake Baines
Hernan Diaz
Andrew Iwamaye
Dan Kelley

Platform

Windows

Architectures

cmd

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810
    msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > show targets
        ...targets...
    msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > set TARGET < target-id >
    msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > show options
        ...show and set options...
    msf exploit(manageengine_adselfservice_plus_cve_2022_28810) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today