Nmap Development mailing list archives
[NSE] smtp-vuln-cve2015-0235
From: Jiayi Ye <yejiayily () gmail com>
Date: Sat, 6 Jun 2015 20:34:37 +0800
Hi, This is a script to detect the Exim GHOST buffer overflow. And I am still writing the part of exploitation. The logic of this script is based on the metasploit exim_gethostbyname_bof script ( http://www.rapid7.com/db/modules/exploit/linux/smtp/exim_gethostbyname_bof). The requirements of server-side are as follows (refer to https://github.com/rapid7/metasploit-framework/wiki/How-to-use-exim_gethostbyname_bof.rb-(Exim-GHOST-Buffer-Overflow) ). 1. glibc-2.6 - glibc-2.17: The exploit depends on the newer versions' fd_nextsize (a member of the malloc_chunk structure) to remotely obtain the address of Exim's smtp_cmd_buffer in the heap. 2. Exim server. The first exploitable version is Exim-4.77, maybe older. The exploit depends on the newer versions' 16-KB smtp_cmd_buffer to reliably set up the heap as described in the advisory. 3. The Exim server also must enable helo_try_verify_hosts or helo_verify_hosts in the /etc/exim4/exim4.conf.template file. The "verify = helo" ACL might be exploitable too, but the attack vector isn't as reliable, therefore not supported by the module. I tested the script against a vulnerable server and it worked. Please help to test the script and make suggestions if any. Thanks! Best regards, Jiayi Ye
Attachment:
smtp-vuln-cve2015-0235.nse
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] smtp-vuln-cve2015-0235 Jiayi Ye (Jun 06)