Home page logo

metasploit logo Metasploit mailing list archives

Bug in exim4_string_format.rb
From: Ty Miller <tyronmiller () gmail com>
Date: Fri, 17 Jun 2011 15:45:48 +1000

Hey guys,

I had to make a small tweak to the exploit
module msf3/modules/exploits/unix/smtp/exim4_string_format.rb to make it
work on a system that I exploited recently ...

                print_status("Sending second message ...")
                buf = raw_send_recv("MAIL FROM:
                # Should be: "sh-x.x$ " !!
                print_status("MAIL result: #{buf.inspect}") if buf

                buf = raw_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n")
                # Should be: "sh: RCPT: command not found\n"
                if buf
                        print_status("RCPT result: #{buf.inspect}")
                        if buf !~ /RCPT/
                           *     print_error("Ty: Skipping over RCPT check
exploit bug")*
                            *    #*raise RuntimeError, 'Something went
wrong, perhaps this host is patched?'

The sh-x.x part was being received when RCPT was expected in the module, so
by commenting it out the module didn't terminate and the exploit worked.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]