Ability Mail Server 2013 - Password Reset CSRF Stored XSS

1. *On one machine (Windows Server 2003), install a new instance of AMS with
2. these configurations*
3.  
4. 1. Primary Domain: hack.local
5. 2. Enable the WebMail Service
6. 3. Domain Name: hack.local
7. 4. Add a User and set Password. In this case I created a user named,
8. victim, with a password of victim
9. 5. Finish installation
10.  
11.  
12. *On an instance of Kali*
13.  
14. 1. Open a web browser and navigate to AMS WebMail Login
15. 2. Log in as the user victim
16. 3. Go to Options -> Advanced Options
17. 4. Verify that the Password Resetting section is blank
18. 5. Start Apache and place csrf-password_reset.js in /var/www/ability
19. 6. As a sanity check, try to navigate to csrf-password_reset.js to make
20. sure you can access it, i.e. 192.168.1.1/ability/csrf-password_reset.js
21. 7. Update resetpassword.py with the IP addresses of the server running
22. AMS and the kali attack machine. If the user/password account you created
23. in AMS is different, update that information here as well.
24. 8. Run the script by typing, "python resetpassword.py"
25. 9. Go back to your web browser, you should notice that victim now has an
26. email
27. 10. Open the email
28. 11. You should observe an alert box that says, Password Reset!
29. 12. Click OK
30. 13. Go to Options -> Advanced Options
31. 14. Verify that the Password Resetting section is now populated with the
32. question and answer set to hacked
33. 15. Logout of AMS
34. 16. Click on Return to Login Page
35. 17. Click on Forgot your password?
36. 18. Enter an email address of victim@hack.local
37. 19. Enter an answer of hacked and set a new password (you can leave zip
38. code and telephone number blank)
39. 20. Click on Return to Login Page
40. 21. Login as user victim with the password you have chosen
41.  
42. Proof of Concept Files:
43. http://www.exploit-db.com/sploits/31221.tar.gz