This article demonstrates one of the Ghost vulnerability the GHOST of EXP, this EXP is Metasploit a module. This Metasploit module can be remote exploit CVE-2 0 1 5-0 2 3 5 out of glibc library gethostbyname function heap overflow vulnerability vulnerability, the goal is to run the Exim mail servicelinux server.
On the GHOST
The GHOST vulnerability exists in the linux core library to glib in the gethostbyname function, can be in the local trigger also can be in a remote trigger. This named Ghost（GHOST）of the high risk of security vulnerabilities appears in 2 0 1 5 years, this vulnerability may allow an attacker remote accessoperating systemis the highest control authority, the impact of the market on a large number of Linux operating system and its release version. The vulnerability CVE number CVE-2 0 1 5-0 2 3 5 to.
The earliest affected by this vulnerability glibc version is glibc-2.2, at 2 0 0 0 9 1 0 date of publication. And the vulnerability in 2 0 1 3 year 5 month 2 1 may be fixed in glibc-2.17 — glibc-2.18, however, this update did not order the security update for the name of the release, so a lot of the stable version&long-term support version of linux is still affected, including Debian7(wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04.
Qualys and various linux distribution vendors work closely to 2 0 1 5 1 2 7, released a report, and publish a blog post, articles and the mainstream releases and patches are closely related. Qualys only now releasing this module, I hope each IT team have enough time for this vulnerability patched.
This Metasploit module can be used to run the Exim Mail Service of the server, access to shell, remote code execution, if the module check method, or a Trojan detection method to a remote server the presence of vulnerabilities, but also can be utilized.
As EXP in the description, if you want to successfully use the modified vulnerability, you need the following prerequisites to use successfully:
Remote target servers must use The is the presence of a vulnerability in the glibc library: Initially the presence of vulnerabilities the version is glibc-2.6, the last vulnerable version is glibc-2.17, some old version may be also the vulnerability exists, but the provided herein the module only supports the previously mentioned a few in the new version fd_nextsize structure(malloc_chunk a member of the structure), to remote access to Exim of smtp_cmd_buffer in a heap in the address. -- Remote target servers must such as running the Exim mail server, the initial presence of vulnerabilities the version is exim-4.77, the old version might also exist a vulnerability, but the article provided in the module dependent on the new version 16KBsmtp_cmd_buffer space to reliably establish the heap space. -- The remote target server Exim mail service must be configured being an SMTP client of the extra security checks, helo_try_verify_hosts or helo_verify_hosts option is turned on, the ACL verify = helo option may also be used, but due to the unpredictable, so this provides the module does not provide this support. -- Client Use Conditions Metasploit: the -- Module exploit method requires SENDER_HOST_ADDRESS is set to the local SMTP client IPv4 address, is also Exim visible IP address. In addition, the IPv4 address MUST must support forward and reverse DNS queries. -- Even if the Metasploit client does not have FCrDNS, the Exim service end may also be utilized successfully, but this module need Exim to set a sender_host_name, in order to reliably control the heap state.