Add Zenoss <= 3.2.1 exploit and Python payload #651

Merged
merged 3 commits into from Aug 1, 2012

Projects

None yet

3 participants

@bcoles
Contributor
bcoles commented Jul 29, 2012
  • modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb
  • modules/payloads/singles/cmd/unix/reverse_python.rb

Product: Zenoss <= 3.2.1
Homepage: http://www.zenoss.com/
Advisory: http://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/

Zenoss 3.2.1 is distributed as a Virtual Machine image based on
CentOS 2.6.18-164.el5.

The telnet binary is not available so the default payload
`cmd/unix/reverse' will not work.

These payloads will work in the default Zenoss environment:

cmd/unix/bind_perl
cmd/unix/reverse_bash
cmd/unix/reverse_perl
cmd/unix/reverse_python
generic/custom
generic/shell_reverse_tcp

@bcoles bcoles Add Zenoss <= 3.2.1 exploit and Python payload
 - modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb
 - modules/payloads/singles/cmd/unix/reverse_python.rb
8d3700c
@sempervictus
Contributor

I'll test this week against my old zenoss setup. Now we have three potential python shells to commit.

@wchen-r7

Are you having problems with send_request_cgi()? The content-length header is automatically calculated in that function.

@bcoles bcoles Clean up Zenoss exploit + minor improvements
Changed send_request_raw() to send_request_cgi()
 - Removed redundant request headers 'Content-Length'

Added rescue error message for connection failures

Changed username to the default 'admin' account
bdf8f1a
@bcoles
Contributor
bcoles commented Jul 30, 2012

Just an oversight on my part.

Fixed in commit bdf8f1a

@wchen-r7
Contributor

I'm not seeing the software as a downloadable image... requested an eval and I receive nothing. So I'm just gonna ask first:

  • Please rename your file to zenoss_showdaemonxmlconfig_exec.rb. No need to leave version number in the filename.
  • What's "require 'msf/core/handler/reverse_tcp'" for?
  • E-mail format needs to be corrected. Change [dot] to just "."
@bcoles
Contributor
bcoles commented Jul 31, 2012

Source: http://sourceforge.net/projects/zenoss/

  • Fixed in: 4.1.70-1485-x86_64
  • Vulnerable: 3.x to 4.1.70-1482

Tested (Vulnerable)

  • 3.0.3-903-x64
  • 3.2.1-1326-x86_64
  • 4.1.70-1476-x86_64
  • 4.1.70-1482-x86_64

Tested (Not Vulnerable)

  • 2.4.5-380-x86
  • 4.1.70-1485-x86_64
  • 4.1.70-1510-x86_64
@wchen-r7 wchen-r7 merged commit 2bf0899 into rapid7:master Aug 1, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment