2012-06-29 00:18:28 -05:00
|
|
|
# -*- coding: binary -*-
|
2006-09-06 17:44:12 +00:00
|
|
|
module Msf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# This module exposes methods that may be useful to exploits that deal with
|
|
|
|
|
# servers that speak the SMTP protocol.
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
module Exploit::Remote::Smtp
|
|
|
|
|
|
|
|
|
|
include Exploit::Remote::Tcp
|
2013-08-30 16:28:33 -05:00
|
|
|
|
2006-09-06 17:44:12 +00:00
|
|
|
#
|
|
|
|
|
# Creates an instance of an SMTP exploit module.
|
|
|
|
|
#
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super
|
2013-08-30 16:28:33 -05:00
|
|
|
|
2006-09-06 17:44:12 +00:00
|
|
|
# Register the options that all SMTP exploits may make use of.
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RHOST,
|
|
|
|
|
Opt::RPORT(25),
|
2014-11-20 14:53:36 -06:00
|
|
|
OptString.new('MAILFROM', [ true, 'FROM address of the e-mail', 'sender@example.com']),
|
|
|
|
|
OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'target@example.com']),
|
2006-09-06 17:44:12 +00:00
|
|
|
], Msf::Exploit::Remote::Smtp)
|
2009-10-28 18:04:50 +00:00
|
|
|
register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
|
2010-02-26 18:47:48 +00:00
|
|
|
register_autofilter_services(%W{ smtp smtps})
|
2006-09-06 17:44:12 +00:00
|
|
|
end
|
2013-08-30 16:28:33 -05:00
|
|
|
|
2006-09-06 17:44:12 +00:00
|
|
|
#
|
|
|
|
|
# This method establishes a SMTP connection to host and port specified by
|
|
|
|
|
# the RHOST and RPORT options, respectively. After connecting, the banner
|
|
|
|
|
# message is read in and stored in the 'banner' attribute.
|
|
|
|
|
#
|
|
|
|
|
def connect(global = true)
|
|
|
|
|
fd = super
|
2013-08-30 16:28:33 -05:00
|
|
|
|
2010-02-26 18:47:48 +00:00
|
|
|
# Wait for a banner to arrive...
|
|
|
|
|
self.banner = fd.get_once(-1, 30)
|
2006-09-06 17:44:12 +00:00
|
|
|
# Return the file descriptor to the caller
|
|
|
|
|
fd
|
|
|
|
|
end
|
2013-08-30 16:28:33 -05:00
|
|
|
|
2006-09-06 17:44:12 +00:00
|
|
|
#
|
2010-02-26 18:47:48 +00:00
|
|
|
# Connect to the remote SMTP server, and begin a DATA transfer
|
2006-09-06 17:44:12 +00:00
|
|
|
#
|
|
|
|
|
def connect_login(global = true)
|
|
|
|
|
smtpsock = connect(global)
|
2013-08-30 16:28:33 -05:00
|
|
|
|
2006-09-06 17:44:12 +00:00
|
|
|
raw_send_recv("EHLO X\r\n")
|
|
|
|
|
raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")
|
|
|
|
|
raw_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n")
|
|
|
|
|
raw_send_recv("DATA\r\n")
|
2013-08-30 16:28:33 -05:00
|
|
|
|
2006-09-06 17:44:12 +00:00
|
|
|
return true
|
|
|
|
|
end
|
2013-08-30 16:28:33 -05:00
|
|
|
|
2006-09-06 17:44:12 +00:00
|
|
|
#
|
|
|
|
|
# This method transmits an IMAP command and waits for a response. If one is
|
|
|
|
|
# received, it is returned to the caller.
|
|
|
|
|
#
|
|
|
|
|
def raw_send_recv(cmd, nsock = self.sock)
|
|
|
|
|
nsock.put(cmd)
|
|
|
|
|
nsock.get_once
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
protected
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# This attribute holds the banner that was read in after a successful call
|
|
|
|
|
# to connect or connect_login.
|
|
|
|
|
#
|
|
|
|
|
attr_accessor :banner
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2009-10-28 18:04:50 +00:00
|
|
|
end
|
2010-02-26 18:47:48 +00:00
|
|
|
|
