TeamViewer URI SMB exploit (CVE-2020-13699)

[h00die]

This adds an HTTP server which responds to Firefox (all other browsers aren't exploitable) with an iframe that will force TeamViewer to create an SMB connection to a server of our choice. Exploits CVE-2020-13699. This is an unbelievably simple exploit.
I can provide the Teamviewer 15.4.4445 installer binary if needed.

Verification

• Install the application
• Start msfconsole
• Do: use auxiliary/server/teamviewer_uri_smb_redirect
• Do: set SMB_SERVER [IP]
• Do: run
• Start an SMB Capture or Relay server (such as responder)
• Open the URL on the target
• The SMB Server should receive a connection.

@jeffssh FYI.

I also wanted to note I emailed @jeffssh about this exploit with a question. They answered back immediately and were super nice answering my questions, so just wanted to say thanks and show appreciation!

[cdelafuente-r7]

Thanks @h00die for this module. I just left a couple of small comments related to typos in the documentation.

[cdelafuente-r7]

This has been tested against Teamviewer v8.0.16642 and v15.4.4445. Both versions connect to the controlled SMB server as expected.

[h00die]

all done, added 8.0.16642 to the list of confirmed versions as well.

[cdelafuente-r7]

Thank you! I'll go ahead and land it shortly.

[cdelafuente-r7]

Original Release Notes
This adds an exploit targeting an unquoted parameter call within the Teamviewer URI handler to create an SMB connection to an attacker controlled IP. This vulnerability is identified as CVE-2020-13699. By successfully exploiting this, an attacker would be able to capture the NTLM authentication contained in the request to retrieve passwords (hash cracking) or relay it (using a tool like responder) for code execution.

[pbarry-r7]

Release Notes

New module auxiliary/server/teamviewer_uri_smb_redirect targets remote desktop software TeamViewer Desktop for Windows, creating an SMB connection with a vulnerable target via an unquoted parameter call within the
TeamViewer URI handler (CVE-2020-13699).