Exim deliver_message() recipient address validation RCE

This repository contains a single Python proof-of-concept exploit, CVE-2019-10149.py, targeting the Exim mail transfer agent vulnerability known as CVE-2019-10149. The script is a standalone exploit rather than part of a larger framework. Its purpose is to exploit Exim 4.87-4.91 by interacting directly with the local SMTP service over localhost:25 and injecting a malicious recipient address containing an Exim ${run{...}} expansion payload. Repository structure is minimal: one Python file with no supporting modules, configuration, or documentation. The script imports subprocess, socket, os, and time, though socket is not meaningfully used. Execution flow is linear: it launches netcat to connect to localhost port 25, waits for the SMTP 220 banner, sends HELO, MAIL FROM, RCPT TO, DATA, a sequence of Received headers, terminates the message, and quits. After a short delay, it connects to localhost:31415 using netcat. The main exploit capability is remote command execution against the local Exim service, with the payload attempting to run /bin/sh -c "nc -lp 31415 -e /bin/sh". If successful, this creates a bind shell listening on TCP port 31415, expected to run with Exim's privileges as noted by the author comment claiming root. The exploit therefore provides interactive shell access rather than merely detecting the vulnerability. It is operational but basic: the payload is hardcoded, the target is fixed to localhost, and there is no reliability logic, target discovery, or payload customization.

Repository contains a local privilege escalation exploit for Exim CVE-2019-10149 (“Return of the WIZard”) targeting Exim 4.87–4.91. Structure: (1) README.md with step-by-step usage and expected SMTP dialogue/output; (2) raptor.sh, a Bash exploit script. raptor.sh prepares a local helper at /tmp/pwned by writing a minimal C program that calls setuid(0)/setgid(0) and executes /bin/sh, compiling it with gcc (or falling back to copying /bin/sh to /tmp/pwned). It then opens a raw TCP connection to the local SMTP service (localhost:25) using Bash’s /dev/tcp, performs a basic SMTP conversation (HELO, MAIL FROM, RCPT TO, DATA), and injects an Exim expansion payload in the RCPT TO address: ${run{/bin/sh -c "chown root /tmp/pwned;chmod 4755 /tmp/pwned"}}@localhost. The script sends multiple Received: headers (1..31) before terminating DATA, then waits briefly for Exim to execute the payload. If successful, /tmp/pwned becomes root-owned with the setuid bit set, allowing the attacker to execute /tmp/pwned to obtain a root shell. Primary capability: post-compromise LPE to root on a vulnerable host by leveraging local SMTP access to Exim and turning a prepared binary into a setuid-root shell.

This repository contains a local privilege escalation exploit for Exim versions 4.87 to 4.91, targeting CVE-2019-10149. The exploit consists of a Bash script ('raptor.sh') and a README.md with usage instructions. The script first creates a C source file for a setuid root shell at /tmp/pwned.c, compiles it to /tmp/pwned (or copies /bin/sh as a fallback), and then connects to the local Exim SMTP server on port 25. It injects a crafted payload via the RCPT TO SMTP command, exploiting Exim's vulnerability to execute commands as root. After a short wait, the script checks for the presence of the setuid shell at /tmp/pwned, which, when executed, provides a root shell. The exploit requires local user access and a vulnerable Exim installation. The main fingerprintable endpoints are the local SMTP port (localhost:25) and the file /tmp/pwned. The repository is operational and provides a working privilege escalation exploit.

This repository contains a Python proof-of-concept exploit for CVE-2019-10149, a remote command execution vulnerability in Exim mail servers. The main file, PoC.py, is a command-line tool that connects to a target Exim SMTP server and sends a specially crafted RCPT TO command to trigger the vulnerability. The exploit encodes a user-supplied shell command payload, which is then executed on the target server. The README provides a usage example, demonstrating how to use the exploit to download and execute a remote shell script, potentially establishing a reverse shell. The repository is structured simply, with one Python exploit script and a README. The exploit requires the attacker to specify both the target and attacker IP addresses and ports, as well as the payload to execute. The attack vector is network-based, targeting the SMTP service on the victim host.

This repository contains a Bash script (exploit.sh) and a README.md file. The exploit targets Exim mail servers vulnerable to CVE-2019-10149 (versions 4.87 to 4.91). The script prompts the user for the attacker's listener IP/port and the target Exim server's IP/port. It crafts a malicious RCPT TO address containing a payload that instructs Exim to execute netcat, which connects back to the attacker's listener and spawns a shell. The exploit leverages a network-based attack vector and requires the attacker to have a netcat listener running. The payload is a reverse shell using /bin/nc and /bin/bash. The repository is a straightforward proof-of-concept exploit based on a public Qualys PoC, with no detection or fake elements.

This repository contains a Python exploit script (exploit.py) targeting CVE-2019-10149, a remote command execution vulnerability in Exim mail server versions 4.87 to 4.91. The exploit abuses improper validation in the deliver_message() function of Exim, allowing an attacker to execute arbitrary commands via a crafted RCPT TO SMTP command. The script connects to the target Exim server over TCP (default port 25), sends a sequence of SMTP commands, and injects a payload that opens a reverse shell to the attacker's machine (specified by --lhost and --lport). The README provides a usage example and describes the vulnerability. The repository is straightforward, with one code file and a README, and is operational, providing a working reverse shell payload.

This repository provides a proof-of-concept exploit for CVE-2019-10149, a remote command execution vulnerability in Exim versions 4.87 to 4.90 (prior to 4.91). The README.md contains detailed instructions for installing a vulnerable Exim version, configuring it for exploitation, and crafting the necessary payload. The exploit leverages Exim's support for the `${run{...}}` expansion in the recipient address to execute arbitrary shell commands. The provided payload downloads and executes a Bash script (RemoteConnection.sh) from a remote server, which establishes a reverse shell connection back to the attacker's machine using netcat. The repository contains two files: a README.md with setup and exploitation instructions, and RemoteConnection.sh, which implements the reverse shell logic. The exploit requires network access to the target's SMTP port (25) and a vulnerable Exim configuration. Notable endpoints include the attacker's IP address, the remote script URL, and a temporary file used for shell communication.

This repository provides tools to test for and detect exploitation of CVE-2019-10149 (Exim remote command execution). It contains three files: a README.md with usage instructions and mitigation advice, eximioc.sh (a Bash script for local detection and system health checks), and eximrce.py (a Python script to remotely test for the vulnerability). The main exploit capability is to test if a remote Exim server is vulnerable by attempting to create a file (/root/lweximtest) via a crafted RCPT TO SMTP command that leverages the Exim 'run' expansion. The Bash script is intended for local use on potentially compromised servers, checking for indicators of compromise, vulnerable versions, and known malware artifacts. The Python script is used for remote testing, connecting to the target's SMTP port and sending the exploit payload. The repository targets Exim servers (especially on cPanel-managed systems) running unpatched versions susceptible to CVE-2019-10149. No hardcoded IPs or domains are present; the scripts operate on user-supplied targets. The exploit is operational, providing a clear indicator of successful code execution, and the repository also includes advice for mitigation via Exim configuration changes.

This repository contains a proof-of-concept exploit for CVE-2019-10149, a privilege escalation vulnerability in Exim mail server. The main file, 'wizard.py', is a Python script that connects to a local Exim SMTP server on port 25 and sends a crafted sequence of SMTP commands. The exploit leverages Exim's vulnerability to execute a shell command via the 'RCPT TO' field, which delivers a base64-encoded C program, compiles it to /tmp/s, and sets its permissions to setuid root. The script then executes this binary to obtain a root shell. The repository structure is minimal, consisting of a README and the exploit script. The exploit targets Exim servers vulnerable to CVE-2019-10149 and requires local access to the SMTP service.

This repository contains a single Python exploit script targeting Exim versions 4.87 to 4.91. The exploit leverages a vulnerability in Exim's handling of crafted RCPT TO payloads to execute arbitrary commands as root. The script connects to the local Exim SMTP service on port 25 and sends a specially crafted payload that causes Exim to spawn a root shell via netcat on port 31415. After a short delay, the script connects to this port, providing the attacker with an interactive root shell. The exploit requires local access to the target system (localhost) and assumes the presence of both Exim and netcat. The repository is operational, providing a working exploit with a hardcoded payload, and is not part of any known exploit framework.