HOME>>>>>>>>>

File smtp-vuln-cve2010-4344

脚本使用类型: portrule
脚本所属分类: exploit, intrusive, vuln
脚本下载地址: http://nmap.org/svn/scripts/smtp-vuln-cve2010-4344.nse

User Summary

Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).

The heap overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Exim daemon (CVE-2010-4344). If the exploit fails then the Exim smtpd child will be killed (heap corruption).

The script also checks for a privilege escalation vulnerability that affects Exim version 4.72 and prior. The vulnerability allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option (CVE-2010-4345).

The smtp-vuln-cve2010-4344.exploit script argument will make the script try to exploit the vulnerabilties, by sending more than 50MB of data, it depends on the message size limit configuration option of the Exim server. If the exploit succeed the exploit.cmd or smtp-vuln-cve2010-4344.cmd script arguments can be used to run an arbitrary command on the remote system, under the Exim user privileges. If this script argument is set then it will enable the smtp-vuln-cve2010-4344.exploit argument.

To get the appropriate debug messages for this script, please use -d2.

Some of the logic of this script is based on the metasploit exim4_string_format exploit.

Reference:

Script Arguments

smtp.domain

Define the domain to be used in the SMTP EHLO command.

exploit.cmd

or smtp-vuln-cve2010-4344.cmd An arbitrary command to run under the Exim user privileges on the remote system. If this argument is set then, it will enable the smtp-vuln-cve2010-4344.exploit argument.

smtp-vuln-cve2010-4344.mailto

Define the destination email address to be used.

smtp-vuln-cve2010-4344.exploit

The script will force the checks, and will try to exploit the Exim SMTP server.

smtp-vuln-cve2010-4344.mailfrom

Define the source email address to be used.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

执行格式

nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587 <host>
nmap --script=smtp-vuln-cve2010-4344 --script-args="exploit.cmd='uname -a'" -pT:25,465,587 <host>

Script Output

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-vuln-cve2010-4344:
| Exim heap overflow vulnerability (CVE-2010-4344):
|   Exim (CVE-2010-4344): VULNERABLE
|     Shell command 'uname -a': Linux qemu-ubuntu-x32 2.6.38-8-generic #42-Ubuntu SMP Fri Jan 21 17:40:48 UTC 2011 i686 GNU/Linux
| Exim privileges escalation vulnerability (CVE-2010-4345):
|   Exim (CVE-2010-4345): VULNERABLE
|     Before 'id': uid=121(Debian-exim) gid=128(Debian-exim) groups=128(Debian-exim),45(sasl)
|_    After  'id': uid=0(root) gid=128(Debian-exim) groups=0(root)

Requires


Author: Djalal Harouni

License: VER007 整理 http://www.ver007.com