Post

PG - Algernon

Exploiting CVE-2019-7214 in SmarterMail 16.x via an unauthenticated deserialization vulnerability on port 17001 leading to RCE.

Posted
By 0xdagg3r
2 min read
PG - Algernon

Recon

nmap found some open ports but what stood out to me is port 9998 and 17001.

sudo nmap -Pn -sS -sC -sV -T4 -vvv -p- "$TARGET"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

PORT      STATE    SERVICE       REASON          VERSION
21/tcp    open     ftp           syn-ack ttl 125 Microsoft ftpd
80/tcp    open     http          syn-ack ttl 125 Microsoft IIS httpd 10.0
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open     netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
290/tcp   filtered unknown       no-response
445/tcp   open     microsoft-ds? syn-ack ttl 125
1496/tcp  filtered liberty-lm    no-response
...[snip]...
5040/tcp  open     unknown       syn-ack ttl 125
...[snip]...
9998/tcp  open     http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-favicon: Unknown favicon MD5: 9D7294CAAB5C2DF4CD916F53653714D5
|_uptime-agent-info: The script encountered an error: Error getting system info
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Supported Methods: POST OPTIONS
...[snip]...
17001/tcp open     remoting      syn-ack ttl 125 MS .NET Remoting services
49664/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open     msrpc         syn-ack ttl 125 Microsoft Windows RPC
...[snip]...
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

From the scan result, it seems that it is running Windows.

I discovers FTP have Anonymous Session but there is no useful info that can help with progressing with the box.

Port 80 return a default IIS banner.

I’ll proceed to look at HTTP port 9998, and it is hosting a SmarterMail service.

SmarterMail SmarterMail interface

Since I don’t have any credential, I’ll put this on backburner and move on to port 17001.

nmap scan result output port 17001 is MS .NET Remoting services. I’ll gather some info about the port

google result rce Potential RCE

CVE details CVE details

Port 17001 is related to SmarterMail. In the build before 6985, it allows unauthenticated attacker to run commands on the server when port 17001 was remotely accessible.

Since nmap scan was able pick up port 17001, I can only assume that it might be vulnerable to CVE-2019-7214.

Exploitation

Shell as nt authority\system

I’ll use this exploit PoC from ExploitDB

searchsploit -m 49216

Looking at the code, it seems to create a reverse shell. I’ll modify the IP on exploit code.

Modify exploit Modify exploit code

I changed the HOST IP to the target machine and LHOST is my attacker machine IP. I leave the port as default.

Before I run the exploit, I’ll run penelope to catch the reverse shell connection.

python3 penelope.py

penelope Listening for reverse shell in penelope

I’ll run the exploit next.

python3 49216.py

I got the reverse shell as nt authority\system

reverse shell Reverse shell as nt authority\system

Proving Grounds
linux public exploit search
This post is licensed under CC BY 4.0 by the author.