infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move the details to a wiki

bug/bundler_fix
sinn3r 2015-03-19 11:52:17 -05:00
parent 968a8758ad
commit d8c8bd1669
1 changed files with 7 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
modules/exploits/linux/smtp/exim_gethostbyname_bof.rb
View File

@ -16,81 +16,10 @@ class Metasploit4 < Msf::Exploit::Remote
'Description' => %q(
This module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based
buffer overflow in the GNU C Library's gethostbyname functions) on x86
and x86_64 GNU/Linux systems that run the Exim mail server. Technical
information about the exploitation can be found in the original GHOST
advisory, and in the source code of this module.
------------------------------------------------------------------------
SERVER-SIDE REQUIREMENTS (Exim)
------------------------------------------------------------------------
The remote system must use a vulnerable version of the GNU C Library:
the first exploitable version is glibc-2.6, the last exploitable version
is glibc-2.17; older versions might be exploitable too, but this module
depends on the newer versions' fd_nextsize (a member of the malloc_chunk
structure) to remotely obtain the address of Exim's smtp_cmd_buffer in
the heap.
------------------------------------------------------------------------
The remote system must run the Exim mail server: the first exploitable
version is exim-4.77; older versions might be exploitable too, but this
module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably
set up the heap as described in the GHOST advisory.
------------------------------------------------------------------------
The remote Exim mail server must be configured to perform extra security
checks against its SMTP clients: either the helo_try_verify_hosts or the
helo_verify_hosts option must be enabled; the "verify = helo" ACL might
be exploitable too, but is unpredictable and therefore not supported by
this module.
------------------------------------------------------------------------
CLIENT-SIDE REQUIREMENTS (Metasploit)
------------------------------------------------------------------------
This module's "exploit" method requires the SENDER_HOST_ADDRESS option
to be set to the IPv4 address of the SMTP client (Metasploit), as seen
by the SMTP server (Exim); additionally, this IPv4 address must have
both forward and reverse DNS entries that match each other
(Forward-Confirmed reverse DNS).
------------------------------------------------------------------------
The remote Exim server might be exploitable even if the Metasploit
client has no FCrDNS, but this module depends on Exim's sender_host_name
variable to be set in order to reliably control the state of the remote
heap.
------------------------------------------------------------------------
TROUBLESHOOTING
------------------------------------------------------------------------
"bad SENDER_HOST_ADDRESS (nil)" failure: the SENDER_HOST_ADDRESS option
was not specified.
------------------------------------------------------------------------
"bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)" failure:
the SENDER_HOST_ADDRESS option was specified, but not in IPv4
dotted-decimal notation.
------------------------------------------------------------------------
"bad SENDER_HOST_ADDRESS (helo_verify_hosts)" or
"bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)" failure: the
SENDER_HOST_ADDRESS option does not match the IPv4 address of the SMTP
client (Metasploit), as seen by the SMTP server (Exim).
------------------------------------------------------------------------
"bad SENDER_HOST_ADDRESS (no FCrDNS)" failure: the IPv4 address of the
SMTP client (Metasploit) has no Forward-Confirmed reverse DNS.
------------------------------------------------------------------------
"not vuln? old glibc? (no leaked_arch)" failure: the remote Exim server
is either not vulnerable, or not exploitable (glibc versions older than
glibc-2.6 have no fd_nextsize member in their malloc_chunk structure).
------------------------------------------------------------------------
"NUL, CR, LF in addr? (no leaked_addr)" failure: Exim's heap address
contains bad characters (NUL, CR, LF) and was therefore mangled during
the information leak; this exploit is able to reconstruct most of these
addresses, but not all (worst-case probability is ~1/85, but could be
further improved).
------------------------------------------------------------------------
"Brute-force SUCCESS" followed by a nil reply, but no shell: the remote
Unix command was executed, but spawned a bind-shell or a reverse-shell
that failed to connect (maybe because of a firewall, or a NAT, etc).
------------------------------------------------------------------------
"Brute-force SUCCESS" followed by a non-nil reply, and no shell: the
remote Unix command was executed, but failed to spawn the shell (maybe
because the setsid command doesn't exist, or awk isn't gawk, or netcat
doesn't support the -6 or -e option, or telnet doesn't support the -z
option, etc).
------------------------------------------------------------------------
Comments and questions are welcome!
and x86_64 GNU/Linux systems that run the Exim mail server.
For additional information, please refer to the module's References
section.
),
'Author' => ['Qualys, Inc. <qsa[at]qualys.com>'],
'License' => BSD_LICENSE,
@ -99,7 +28,9 @@ class Metasploit4 < Msf::Exploit::Remote
['US-CERT-VU', '967332'],
['OSVDB', '117579'],
['BID', '72325'],
['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt']
['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt'],
['URL', 'https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability'],
['URL', 'http://r-7.co/1CAnMc0'] # MSF Wiki doc (this module's manual)
],
'DisclosureDate' => 'Jan 27 2015',
'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim)