[NSE] smtp-vuln-cve2015-0235

[Jiayi Ye <yejiayily () gmail com>]

Hi,

This is a script to detect the Exim GHOST buffer overflow. And I am still
writing the part of exploitation.
The logic of this script is based on the metasploit exim_gethostbyname_bof
script (
http://www.rapid7.com/db/modules/exploit/linux/smtp/exim_gethostbyname_bof).

The requirements of server-side are as follows (refer to
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-exim_gethostbyname_bof.rb-(Exim-GHOST-Buffer-Overflow)
).
1. glibc-2.6 - glibc-2.17: The exploit depends on the newer versions'
fd_nextsize (a member of the malloc_chunk structure) to remotely obtain the
address of Exim's smtp_cmd_buffer in the heap.
2. Exim server. The first exploitable version is Exim-4.77, maybe older.
The exploit depends on the newer versions' 16-KB smtp_cmd_buffer to
reliably set up the heap as described in the advisory.
3. The Exim server also must enable helo_try_verify_hosts or
helo_verify_hosts in the /etc/exim4/exim4.conf.template file. The "verify =
helo" ACL might be exploitable too, but the attack vector isn't as
reliable, therefore not supported by the module.

I tested the script against a vulnerable server and it worked. Please help
to test the script and make suggestions if any. Thanks!

Best regards,
Jiayi Ye

Attachment: smtp-vuln-cve2015-0235.nse
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/