TrendMicro ServerProtect File Access - Metasploit
This page contains detailed information about how to use the auxiliary/admin/serverprotect/file metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: TrendMicro ServerProtect File Access
Module: auxiliary/admin/serverprotect/file
Source code: modules/auxiliary/admin/serverprotect/file.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 5168
List of CVEs: CVE-2007-6507
This modules exploits a remote file access flaw in the ServerProtect Windows Server RPC service. Please see the action list (or the help output) for more information.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/admin/serverprotect/file
msf auxiliary(file) > show targets
... a list of targets ...
msf auxiliary(file) > set TARGET target-id
msf auxiliary(file) > show options
... show and set options ...
msf auxiliary(file) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Go back to menu.
Msfconsole Usage
Here is how the admin/serverprotect/file auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/serverprotect/file
msf6 auxiliary(admin/serverprotect/file) > show info
Name: TrendMicro ServerProtect File Access
Module: auxiliary/admin/serverprotect/file
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
toto
Available actions:
Name Description
---- -----------
delete Delete a file
download Download a file
list List files (not recommended - will crash the driver)
upload Upload a file
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPATH no The local filesystem path
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPATH no The remote filesystem path
RPORT 5168 yes The target port (TCP)
Description:
This modules exploits a remote file access flaw in the ServerProtect
Windows Server RPC service. Please see the action list (or the help
output) for more information.
References:
https://nvd.nist.gov/vuln/detail/CVE-2007-6507
OSVDB (44318)
http://www.zerodayinitiative.com/advisories/ZDI-07-077
Module Options
This is a complete list of options available in the admin/serverprotect/file auxiliary module:
msf6 auxiliary(admin/serverprotect/file) > show options
Module options (auxiliary/admin/serverprotect/file):
Name Current Setting Required Description
---- --------------- -------- -----------
LPATH no The local filesystem path
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPATH no The remote filesystem path
RPORT 5168 yes The target port (TCP)
Advanced Options
Here is a complete list of advanced options supported by the admin/serverprotect/file auxiliary module:
msf6 auxiliary(admin/serverprotect/file) > show advanced
Module advanced options (auxiliary/admin/serverprotect/file):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
DCERPC::ReadTimeout 300 yes The number of seconds to wait for DCERPC responses
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/serverprotect/file module can do:
msf6 auxiliary(admin/serverprotect/file) > show actions
Auxiliary actions:
Name Description
---- -----------
delete Delete a file
download Download a file
list List files (not recommended - will crash the driver)
upload Upload a file
Evasion Options
Here is the full list of possible evasion options supported by the admin/serverprotect/file auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/serverprotect/file) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
DCERPC::fake_bind_multi true no Use multi-context bind calls
DCERPC::fake_bind_multi_append 0 no Set the number of UUIDs to append the target
DCERPC::fake_bind_multi_prepend 0 no Set the number of UUIDs to prepend before the target
DCERPC::max_frag_size 4096 yes Set the DCERPC packet fragmentation size
DCERPC::smb_pipeio rw no Use a different delivery method for accessing named pipes (Accepted: rw, trans)
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- The <NAME> parameter is required by this option
- Unknown action <ACTION.NAME>
- An unknown error occurred while calling FindFirstFile.
- An error occurred while calling FindFirstFile <ARGS:0>: <RET>.
- An unknown error occurred while calling FindFirstFile.
- An error occurred while deleting <ARGS:0>: <RET>.
- An unknown error occurred while calling CreateFile.
- An error occurred while calling CreateFile: <RET>.
- An unknown error occurred while calling ReadFile.
- An error occurred while calling CreateFile: <RET>.
- An unknown error occurred while calling WriteFile.
- An error occurred while calling WriteFile: <RET>.
- An unknown error occurred while calling CloseHandle.
- An error occurred while calling CloseHandle: <RET>.
- Error: <E>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
The <NAME> parameter is required by this option
Here is a relevant code snippet related to the "The <NAME> parameter is required by this option" error message:
54: ])
55: end
56:
57: def check_option(name)
58: if(not datastore[name])
59: raise RuntimeError, "The #{name} parameter is required by this option"
60: end
61: end
62:
63: def auxiliary_commands
64: {
Unknown action <ACTION.NAME>
Here is a relevant code snippet related to the "Unknown action <ACTION.NAME>" error message:
84: cmd_delete(datastore['RPATH'])
85: when 'list'
86: check_option('RPATH')
87: cmd_list(datastore['RPATH'])
88: else
89: print_error("Unknown action #{action.name}")
90: end
91: end
92:
93: def deunicode(str)
94: str.gsub(/\x00/, '').strip
An unknown error occurred while calling FindFirstFile.
Here is a relevant code snippet related to the "An unknown error occurred while calling FindFirstFile." error message:
112: # FindFirstFile
113: resp = serverprotect_rpccmd(131080, data, 0x100)
114: return if not resp
115:
116: if resp.length != 0x108
117: print_error("An unknown error occurred while calling FindFirstFile.")
118: return
119: end
120:
121:
122: ret, = resp[0x104,4].unpack('V')
An error occurred while calling FindFirstFile <ARGS:0>: <RET>.
Here is a relevant code snippet related to the "An error occurred while calling FindFirstFile <ARGS:0>: <RET>." error message:
119: end
120:
121:
122: ret, = resp[0x104,4].unpack('V')
123: if ret != 0
124: print_error("An error occurred while calling FindFirstFile #{args[0]}: #{ret}.")
125: return
126: end
127:
128: handle, = resp[4,4].unpack('V')
129:
An unknown error occurred while calling FindFirstFile.
Here is a relevant code snippet related to the "An unknown error occurred while calling FindFirstFile." error message:
137: # FindNextFile
138: resp = serverprotect_rpccmd(131081, data, 0x100)
139: return if not resp
140:
141: if resp.length != 0x108
142: print_error("An unknown error occurred while calling FindFirstFile.")
143: break
144: end
145:
146: ret, = resp[0x104,4].unpack('V')
147: if ret != 0
An error occurred while deleting <ARGS:0>: <RET>.
Here is a relevant code snippet related to the "An error occurred while deleting <ARGS:0>: <RET>." error message:
174: ret, = resp[8,4].unpack('V')
175:
176: if ret == 0
177: print_good("File #{args[0]} successfully deleted.")
178: else
179: print_error("An error occurred while deleting #{args[0]}: #{ret}.")
180: end
181: end
182:
183: end
184:
An unknown error occurred while calling CreateFile.
Here is a relevant code snippet related to the "An unknown error occurred while calling CreateFile." error message:
257:
258: resp = serverprotect_rpccmd(131073, data, 540)
259: return if not resp
260:
261: if (resp.length < 548)
262: print_error("An unknown error occurred while calling CreateFile.")
263: return 0
264: else
265: handle, = resp[4,4].unpack('V')
266: ret, = resp[544,4].unpack('V')
267:
An error occurred while calling CreateFile: <RET>.
Here is a relevant code snippet related to the "An error occurred while calling CreateFile: <RET>." error message:
264: else
265: handle, = resp[4,4].unpack('V')
266: ret, = resp[544,4].unpack('V')
267:
268: if ret != 0
269: print_error("An error occurred while calling CreateFile: #{ret}.")
270: return 0
271: else
272: return handle
273: end
274: end
An unknown error occurred while calling ReadFile.
Here is a relevant code snippet related to the "An unknown error occurred while calling ReadFile." error message:
281:
282: resp = serverprotect_rpccmd(131075, data, 4104)
283: return if not resp
284:
285: if (resp.length != 4112)
286: print_error("An unknown error occurred while calling ReadFile.")
287: return ''
288: else
289: ret, = resp[4108,4].unpack('V')
290:
291: if ret != 0
An error occurred while calling CreateFile: <RET>.
Here is a relevant code snippet related to the "An error occurred while calling CreateFile: <RET>." error message:
287: return ''
288: else
289: ret, = resp[4108,4].unpack('V')
290:
291: if ret != 0
292: print_error("An error occurred while calling CreateFile: #{ret}.")
293: return ''
294: else
295: br, = resp[4104, 4].unpack('V')
296: return resp[8, br]
297: end
An unknown error occurred while calling WriteFile.
Here is a relevant code snippet related to the "An unknown error occurred while calling WriteFile." error message:
307:
308: resp = serverprotect_rpccmd(131076, data, 4104)
309: return if not resp
310:
311: if (resp.length != 4112)
312: print_error("An unknown error occurred while calling WriteFile.")
313: return 0
314: else
315: ret, = resp[4108,4].unpack('V')
316:
317: if ret != 0
An error occurred while calling WriteFile: <RET>.
Here is a relevant code snippet related to the "An error occurred while calling WriteFile: <RET>." error message:
313: return 0
314: else
315: ret, = resp[4108,4].unpack('V')
316:
317: if ret != 0
318: print_error("An error occurred while calling WriteFile: #{ret}.")
319: return 0
320: end
321: end
322:
323: return 1
An unknown error occurred while calling CloseHandle.
Here is a relevant code snippet related to the "An unknown error occurred while calling CloseHandle." error message:
329:
330: resp = serverprotect_rpccmd(131074, data, 4)
331: return if not resp
332:
333: if (resp.length != 12)
334: print_error("An unknown error occurred while calling CloseHandle.")
335: else
336: ret, = resp[8,4].unpack('V')
337:
338: if ret != 0
339: print_error("An error occurred while calling CloseHandle: #{ret}.")
An error occurred while calling CloseHandle: <RET>.
Here is a relevant code snippet related to the "An error occurred while calling CloseHandle: <RET>." error message:
334: print_error("An unknown error occurred while calling CloseHandle.")
335: else
336: ret, = resp[8,4].unpack('V')
337:
338: if ret != 0
339: print_error("An error occurred while calling CloseHandle: #{ret}.")
340: end
341: end
342: end
343:
344:
Error: <E>
Here is a relevant code snippet related to the "Error: <E>" error message:
387:
388: outp
389:
390: rescue ::Interrupt
391: raise $!
392: rescue ::Exception => e
393: print_error("Error: #{e}")
394: nil
395: end
396: end
397: end
Go back to menu.
Related Pull Requests
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7338 Merged Pull Request: Relocate Rex::Platform:Windows content (fixes MS-1714)
- #6812 Merged Pull Request: Resolve #6807, remove all OSVDB references.
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #2560 Merged Pull Request: ZDI references for reference.rb
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
References
- CVE-2007-6507
- OSVDB (44318)
- ZDI-07-077
See Also
Check also the following modules related to this module:
- auxiliary/admin/webmin/file_disclosure
- auxiliary/scanner/http/file_same_name_dir
- auxiliary/scanner/redis/file_upload
- exploit/windows/http/file_sharing_wizard_seh
- exploit/windows/novell/file_reporter_fsfui_upload
- post/windows/gather/file_from_raw_ntfs
- auxiliary/admin/http/axigen_file_access
- auxiliary/admin/http/contentkeeper_fileaccess
- auxiliary/admin/http/jboss_deploymentfilerepository
- auxiliary/admin/http/limesurvey_file_download
- auxiliary/admin/http/manageengine_file_download
- auxiliary/admin/http/netflow_file_download
- auxiliary/admin/http/nexpose_xxe_file_read
- auxiliary/admin/http/novell_file_reporter_filedelete
- auxiliary/admin/http/sysaid_file_download
- auxiliary/admin/http/ulterius_file_download
- auxiliary/admin/http/webnms_file_download
- auxiliary/admin/mssql/mssql_sql_file
- auxiliary/admin/pop2/uw_fileretrieval
- auxiliary/admin/postgres/postgres_readfile
- auxiliary/admin/smb/check_dir_file
- auxiliary/admin/smb/delete_file
- auxiliary/admin/smb/download_file
- auxiliary/admin/smb/upload_file
- auxiliary/admin/sunrpc/solaris_kcms_readfile
- auxiliary/admin/webmin/edit_html_fileaccess
- auxiliary/dos/sap/sap_soap_rfc_eps_delete_file
- auxiliary/scanner/http/backup_file
- auxiliary/scanner/http/copy_of_file
- auxiliary/scanner/http/prev_dir_same_name_file
- auxiliary/scanner/printer/printer_delete_file
- auxiliary/scanner/printer/printer_download_file
- auxiliary/scanner/printer/printer_upload_file
- auxiliary/scanner/snmp/cisco_upload_file
Related Nessus plugins:
Authors
- toto
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.