[l33tfg]

Hello darkforums community, today I discovered an SMTP server vulnerability in defense.gov, Basically I was able to locate one of there servers in Finland, more specifically the IP address: 45.144.52.72, so basically port 465 is running on Exim 4.97 which is an outdated version of Exim, leaving it vulnerable to CVE-2023- 51766 Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.





Here is proof that its running on the outdate version of Exim: https://files.catbox.moe/fvnv2j.jpeg


also found a certificate related to port 21 which contained the email: root@defense.gov which I though was very interesting: https://files.catbox.moe/mvry5n.jpeg

How to exploit it:

First connect to the server 45.144.52.72 on port 25 or 465

for example: nc  45.144.52.72 25


you would use netcat to connect because there is no telnet ports open or anything

heres how you would smuggle an injected message:  snippet.host/szuxmx/raw

Note: Hitting Enter in your terminal usually sends CRLF (\r\n), so you may need to inject LF.\r\n manually. If that's not possible with telnet, use a Python script instead.

Here is a python script exploit PoC that I wrote which automates it all:  snippet.host/pjwsdy/raw

just replace the target and spoofed email with all the details here ETC