-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Module MailCleaner Remote Code Execution Module #11148
Conversation
Hi, @mmetince! Welcome back. :P |
Looks like latest update made
|
@mmetince: It sounds like you're in @jrobles-r7's very capable hands now. Thanks! |
Hi @mmetince -- I'm assuming there hasn't been any coordinated vuln disclosure (CVD) on this, so I'm going to clue the vendor in and see about securing a CVE from DWF at https://iwantacve.org/ (since it's open source software), using this PR as a reference. Cool with you, I assume? In the future, if you'd like to play along with CVD and maybe /not/ drop 0day on unsuspecting users, I would be happy to help disclose this stuff on your behalf per Rapid7's disclosure policy. Your bug, your choice, of course, but limiting surprises like this is usually more neighborly. :) |
Hi @todb-r7, it's cool ofc. I fully understand what you are saying. I would like to share my thoughts regarding the 0day disclosure case like this one. Every single one of my research is like; focus on technical details, find 0day, prepare write-up and msf modules and then report it to the vendor. When the vulnerability requires an authentication and vendor didn't rapidly response, I go with full disclosure because I don't want to go back to the project after couple of weeks/months. It's like waste of time when you try to remember all the technical stuff that you've done before (product installation steps etc etc, msf landing process which requires lots of changes, thanks to pple @wvu-r7 🙏). Cheers, |
{ | ||
'SSL' => true, | ||
'WfsDelay' => 5, | ||
'Payload' => 'python/meterpreter/reverse_tcp' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move to the target with python
'Payload' => 'python/meterpreter/reverse_tcp' |
'WfsDelay' => 5, | ||
'Payload' => 'python/meterpreter/reverse_tcp' | ||
}, | ||
'Platform' => ['unix'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Each target specifies its platform. This can be removed.
'Platform' => ['unix'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add all the platforms to the top-level Platform
. Same for Arch
. Otherwise they won't display in info
. Someone can fix that if they want.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
msf5 exploit(linux/http/mailcleaner_exec) > git diff
[*] exec: git diff
diff --git a/modules/exploits/linux/http/mailcleaner_exec.rb b/modules/exploits/linux/http/mailcleaner_exec.rb
index 361cbeab8a..cf92c85b10 100644
--- a/modules/exploits/linux/http/mailcleaner_exec.rb
+++ b/modules/exploits/linux/http/mailcleaner_exec.rb
@@ -33,8 +33,8 @@ class MetasploitModule < Msf::Exploit::Remote
'WfsDelay' => 5,
'Payload' => 'python/meterpreter/reverse_tcp'
},
- 'Platform' => ['unix'],
- 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],
+ #'Platform' => ['unix'],
+ #'Arch' => [ ARCH_PYTHON, ARCH_CMD ],
'Targets' =>
[
[
msf5 exploit(linux/http/mailcleaner_exec) > info
[snip]
Platform:
Arch:
[snip]
msf5 exploit(linux/http/mailcleaner_exec) >
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is okay to leave 'targets' section as it and add all the platforms to the top-level platforms
like something as follow ?
'Platform' => ['python', 'unix'],
'Arch' => [ ARCH_PYTHON, ARCH_CMD ],
'Targets' =>
[
[
'Python payload',
{
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
}
],
[
'Command payload',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'BadChars' => "\x26",
}
}
]
],
Co-Authored-By: mmetince <mmetince@users.noreply.github.com>
Co-Authored-By: mmetince <mmetince@users.noreply.github.com>
ping |
pong! I believe Jacob is actively working on this PR, so no worries, this will be landed :-) |
Tested on MailCleaner Community Edition
|
Release NotesThe mailcleaner_exec exploit module has been added to the framework. This exploits an authenticated command injection vulnerability in the MailCleaner Community Edition product. |
See PR rapid7#11148 This adds the new CVE assigned by DWF for this vulnerability. Note that [CVE-2018-10933](https://www.cvedetails.com/cve/CVE-2018-10933/) describes a vulnerability in libssh, but this one describes the issue as it pertains to MailCleaner specifically.
Hi fellas 🎉
This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root.
Verification
List the steps needed to make sure this thing works
msfconsole
use use exploit/linux/http/mailcleaner
RHOST
LHOST
USERNAME
PASSWORD
exploit
Awesome..! Authenticated
.meterpreter
session.Technical Details and MSF Module in Asciinema
https://pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/