-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVE-2015-0235: Exim GHOST (glibc gethostbyname) Buffer Overflow #4956
Conversation
This was originally written by Qualys
Shouldn't the I_KNOW_WHAT_I_AM_DOING be changed to FORCE_EXPLOIT or something which give some idea what the option is doing? |
Sure we can do that. |
Good usability change. Thank you, @void-in. |
fail_with("smtp_connect", "sock is nil") if not sock | ||
@smtp_state = :recv | ||
|
||
banner = smtp_recv(220) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed that banner
is not being used. Do you think it might be worthwhile to check for Exim in the 220?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think checking the banner is necessary, because if the check triggers the bug and tells you it's vulnerable, there is no point to trust the passive/banner check (or even look at it).
I can get rid of the banner variable if you want. I imagine they just wanted to make it obvious that this line is receiving the banner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I agree. Remove it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok.
This is an exploit for CVE-2015-0235, a heap buffer overflow vulnerability in glibc gethostbyname. It specifically targets Exim servers to prove exploitability. Originally written by Qualys.
I did the testing and made small changes to the modules:
Setup
helo_verify_hosts = *
under MAIN CONFIGURATION SETTINGSsudo update-exim4.conf
sudo /etc/init.d/exim4 restart
grep helo /var/lib/exim4/config.autogenerated | grep verify
, and make sure you seehelo_verify_hosts = *
, like this:Now you are ready for testing.
If you can find me in person, you can try my box instead.
Verification
use exploit/linux/smtp/exim_gethostbyname_bof
set rhost [The Exim server's IP]
set sender_host_address [Your IP]
run