Land #8380, check for command injection in smtp email addresses

aborts
bug/bundler_fix
wchen-r7 2017-05-16 15:36:22 -05:00
commit 58d65ce4b5
1 changed files with 19 additions and 3 deletions

View File

@ -151,11 +151,27 @@ module Exploit::Remote::SMTPDeliver
[nsock, raw_send_recv("EHLO #{domain}\r\n", nsock)]
end
def bad_address(address)
address.bytesize > 2048 || /[\r\n]/ =~ address
end
#
# Sends an email message, connecting to the server first if a connection is
# not already established.
#
def send_message(data)
mailfrom = datastore['MAILFROM'].strip
if bad_address(mailfrom)
print_error "Bad from address, not sending: #{mailfrom}"
return nil
end
mailto = datastore['MAILTO'].strip
if bad_address(mailto)
print_error "Bad to address, not sending: #{mailto}"
return nil
end
send_status = nil
already_connected = connected?
@ -166,8 +182,8 @@ module Exploit::Remote::SMTPDeliver
nsock = connect_login(false)
end
raw_send_recv("MAIL FROM: <#{datastore['MAILFROM']}>\r\n", nsock)
res = raw_send_recv("RCPT TO: <#{datastore['MAILTO']}>\r\n", nsock)
raw_send_recv("MAIL FROM: <#{mailfrom}>\r\n", nsock)
res = raw_send_recv("RCPT TO: <#{mailto}>\r\n", nsock)
if res[0..2] == '250'
resp = raw_send_recv("DATA\r\n", nsock)
@ -199,7 +215,7 @@ module Exploit::Remote::SMTPDeliver
send_status = raw_send_recv("#{full_msg}\r\n.\r\n", nsock)
end
else
print_error "Server refused to send to <#{datastore['MAILTO']}>"
print_error "Server refused to send to <#{mailto}>"
end
if not already_connected