Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-10149 PoC — Exim 操作系统命令注入漏洞

Source
https://github.com/Brets0150/StickyExim
Associated Vulnerability
Title:Exim 操作系统命令注入漏洞 (CVE-2019-10149)
Description:A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Description
Exim Honey Pot for CVE-2019-10149 exploit attempts.
Readme

# StickyExim
![](https://bretstaton.com/images/article_images/exim_attack/StickyEximLogo.png)

An Email HoneyPot
=============

## Features
- Easy to deploy.  The install scripts does all the work.
- Abuse report are atomaticlly created and sent to the attacking IP owner.
- Abuse reports are stored with a hash at time of creation incase needed later.

----
## Requirements

- Domain names.
	- One real domain you use for normal email. Example: myrealdomain.com
	- One domain for the HoneyPot(s). Example: myhoneydomain.com
- DNS record control.
	- Add a Wild card for all subdomains of  myhoneydomain.com to point to the IP of mail server for domain myrealdomain.com.
	In Bind this would look like "*.myhoneydomain.com.    IN      A       1.1.1.1."

- Another Mail Server
	- Anything will work. You can just use your normal email server; there is no special requirements. This is just to receive emails at.
	- Make "myhoneydomain.com" and "log.myhoneydomain.com" Domain Alias for "myrealdomain.com"
	- Create the account "abuse@myrealdomain.com".

- Debain 9
	- May work with other Debain version, but all testing was done in version 9.
----
### Install
---
```shell
apt update ; apt install -y git
git clone https://github.com/Brets0150/StickyExim.git
cd ./StickyExim/
chmod +x *.sh
./install_StickyExim.sh <DomainNameUsedForHoneyPot> <ExternalEmailAddressToSendTestEmailTo>
```
##### Example:

```shell
./install_StickyExim.sh  "definitelynotahoneypot.com" "me@myreal-email.com"
```

After the install, a test email will be sent to the email address you provided above. If you do not get a email, check the mail log(/var/log/exim4/maillog).

----
### Configure
```shell
nano honey_harvester_exim_cve-2019-10149.sh
```
You need to find and update two variable at the top of this script.

This is the email that will appear on abuse reports that are sent. So this needs to be a valid email address. You may be contacted back by the people who get these reports.

Example: abuse@mydomainname.com
str_my_abuse_email_address_to_use_in_from_field=''

This email address must be different from the "str_my_abuse_email_address_to_use_in_from_field". This email is use to send a copy of a abuse reports to you so you are aware that an attack was found. Since the "str_my_abuse_email_address_to_use_in_from_field" domain will be local to this honeypot system, it will not try to send to a remote. I suggest adding a subdomain.

Example: abuse@log.mydomainname.com
str_my_abuse_email_address_to_send_copy_of_abuse_report=''

----

## Testing

If you want to test to confirm the honeypot is working, you can use this other project I found.
https://github.com/cowbe0x004/eximrce-CVE-2019-10149

NOTE: This will send a abuse report to the owner of the IP you are testing from(ie, your ISP). Use at your own risk.
----

## Happy Hunting!
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →