diff --git a/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb b/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb index 98086b5395..0829b7cef1 100644 --- a/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb +++ b/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb @@ -16,81 +16,10 @@ class Metasploit4 < Msf::Exploit::Remote 'Description' => %q( This module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions) on x86 - and x86_64 GNU/Linux systems that run the Exim mail server. Technical - information about the exploitation can be found in the original GHOST - advisory, and in the source code of this module. - ------------------------------------------------------------------------ - SERVER-SIDE REQUIREMENTS (Exim) - ------------------------------------------------------------------------ - The remote system must use a vulnerable version of the GNU C Library: - the first exploitable version is glibc-2.6, the last exploitable version - is glibc-2.17; older versions might be exploitable too, but this module - depends on the newer versions' fd_nextsize (a member of the malloc_chunk - structure) to remotely obtain the address of Exim's smtp_cmd_buffer in - the heap. - ------------------------------------------------------------------------ - The remote system must run the Exim mail server: the first exploitable - version is exim-4.77; older versions might be exploitable too, but this - module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably - set up the heap as described in the GHOST advisory. - ------------------------------------------------------------------------ - The remote Exim mail server must be configured to perform extra security - checks against its SMTP clients: either the helo_try_verify_hosts or the - helo_verify_hosts option must be enabled; the "verify = helo" ACL might - be exploitable too, but is unpredictable and therefore not supported by - this module. - ------------------------------------------------------------------------ - CLIENT-SIDE REQUIREMENTS (Metasploit) - ------------------------------------------------------------------------ - This module's "exploit" method requires the SENDER_HOST_ADDRESS option - to be set to the IPv4 address of the SMTP client (Metasploit), as seen - by the SMTP server (Exim); additionally, this IPv4 address must have - both forward and reverse DNS entries that match each other - (Forward-Confirmed reverse DNS). - ------------------------------------------------------------------------ - The remote Exim server might be exploitable even if the Metasploit - client has no FCrDNS, but this module depends on Exim's sender_host_name - variable to be set in order to reliably control the state of the remote - heap. - ------------------------------------------------------------------------ - TROUBLESHOOTING - ------------------------------------------------------------------------ - "bad SENDER_HOST_ADDRESS (nil)" failure: the SENDER_HOST_ADDRESS option - was not specified. - ------------------------------------------------------------------------ - "bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)" failure: - the SENDER_HOST_ADDRESS option was specified, but not in IPv4 - dotted-decimal notation. - ------------------------------------------------------------------------ - "bad SENDER_HOST_ADDRESS (helo_verify_hosts)" or - "bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)" failure: the - SENDER_HOST_ADDRESS option does not match the IPv4 address of the SMTP - client (Metasploit), as seen by the SMTP server (Exim). - ------------------------------------------------------------------------ - "bad SENDER_HOST_ADDRESS (no FCrDNS)" failure: the IPv4 address of the - SMTP client (Metasploit) has no Forward-Confirmed reverse DNS. - ------------------------------------------------------------------------ - "not vuln? old glibc? (no leaked_arch)" failure: the remote Exim server - is either not vulnerable, or not exploitable (glibc versions older than - glibc-2.6 have no fd_nextsize member in their malloc_chunk structure). - ------------------------------------------------------------------------ - "NUL, CR, LF in addr? (no leaked_addr)" failure: Exim's heap address - contains bad characters (NUL, CR, LF) and was therefore mangled during - the information leak; this exploit is able to reconstruct most of these - addresses, but not all (worst-case probability is ~1/85, but could be - further improved). - ------------------------------------------------------------------------ - "Brute-force SUCCESS" followed by a nil reply, but no shell: the remote - Unix command was executed, but spawned a bind-shell or a reverse-shell - that failed to connect (maybe because of a firewall, or a NAT, etc). - ------------------------------------------------------------------------ - "Brute-force SUCCESS" followed by a non-nil reply, and no shell: the - remote Unix command was executed, but failed to spawn the shell (maybe - because the setsid command doesn't exist, or awk isn't gawk, or netcat - doesn't support the -6 or -e option, or telnet doesn't support the -z - option, etc). - ------------------------------------------------------------------------ - Comments and questions are welcome! + and x86_64 GNU/Linux systems that run the Exim mail server. + + For additional information, please refer to the module's References + section. ), 'Author' => ['Qualys, Inc. '], 'License' => BSD_LICENSE, @@ -99,7 +28,9 @@ class Metasploit4 < Msf::Exploit::Remote ['US-CERT-VU', '967332'], ['OSVDB', '117579'], ['BID', '72325'], - ['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt'] + ['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt'], + ['URL', 'https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability'], + ['URL', 'http://r-7.co/1CAnMc0'] # MSF Wiki doc (this module's manual) ], 'DisclosureDate' => 'Jan 27 2015', 'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim)