simple python socket connection to test if exim is vulnerable to CVE-2019-10149. The payload simply touch a file in /tmp/eximrce.# eximrce
Simple python socket connection to test if exim is vulnerable to CVE-2019-10149.
The payload simply touch a file in /root/lweximtest. Output will be slow
depending on server's reply and not knowing how to properly use python's socket module. Would love a lesson on how to speed it up. Only tested on cPanel boxes.
**Run locally on suspected server. This checks for indication of compromise.**
```
curl -s https://raw.githubusercontent.com/cowbe0x004/eximrce-CVE-2019-10149/master/eximioc.sh |bash
```
**Run remotely. Testing for remote code execution.**
```
git clone https://github.com/cowbe0x004/eximrce-CVE-2019-10149
cd eximrce-CVE-2019-10149
python eximrce.py <HOST> <PORT>
```
**If /root/lweximtest exists on the server, remote code execution is possible.**
**If you are not able to update exim, at least put this ACL in exim.conf so ${run{ can't be run.**
```
## change
acl_smtp_rcpt = acl_smtp_rcpt
## to
acl_smtp_rcpt = acl_check_rcpt
## after "begin acl"
acl_check_rcpt:
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|] : ^.*\N\${run{\N.*}}
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ : ^.*\N\${run{\N.*}}
accept
```
登录后查看神龙缓存的 POC 文件快照
登录查看