Home page logo

metasploit logo Metasploit mailing list archives

Re: Bug in exim4_string_format.rb
From: "Joshua J. Drake" <jdrake () metasploit com>
Date: Sun, 26 Jun 2011 01:08:43 -0500

On Fri, Jun 17, 2011 at 03:45:48PM +1000, Ty Miller wrote:
Hey guys,

I had to make a small tweak to the exploit
module msf3/modules/exploits/unix/smtp/exim4_string_format.rb to make it
work on a system that I exploited recently ...

                print_status("Sending second message ...")
                buf = raw_send_recv("MAIL FROM:
                # Should be: "sh-x.x$ " !!
                print_status("MAIL result: #{buf.inspect}") if buf

                buf = raw_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n")
                # Should be: "sh: RCPT: command not found\n"
                if buf
                        print_status("RCPT result: #{buf.inspect}")
                        if buf !~ /RCPT/
                           *     print_error("Ty: Skipping over RCPT check
exploit bug")*
                            *    #*raise RuntimeError, 'Something went
wrong, perhaps this host is patched?'

The sh-x.x part was being received when RCPT was expected in the module, so
by commenting it out the module didn't terminate and the exploit worked.


I made a change to the module at r13032. It should fix address this.
If possible, please test against your target and let me know if it

Joshua J. Drake

Attachment: _bin


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]