smtp-vuln-cve2010-4344
脚本使用类型:
portrule
脚本所属分类:
exploit, intrusive, vuln
脚本下载地址: http://nmap.org/svn/scripts/smtp-vuln-cve2010-4344.nse
Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).
The heap overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Exim daemon (CVE-2010-4344). If the exploit fails then the Exim smtpd child will be killed (heap corruption).
The script also checks for a privilege escalation vulnerability that affects Exim version 4.72 and prior. The vulnerability allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option (CVE-2010-4345).
The smtp-vuln-cve2010-4344.exploit
script argument will make
the script try to exploit the vulnerabilties, by sending more than 50MB of
data, it depends on the message size limit configuration option of the
Exim server. If the exploit succeed the exploit.cmd
or
smtp-vuln-cve2010-4344.cmd
script arguments can be used to
run an arbitrary command on the remote system, under the
Exim
user privileges. If this script argument is set then it
will enable the smtp-vuln-cve2010-4344.exploit
argument.
To get the appropriate debug messages for this script, please use -d2.
Some of the logic of this script is based on the metasploit exim4_string_format exploit.
Reference:
Define the domain to be used in the SMTP EHLO command.
or smtp-vuln-cve2010-4344.cmd An arbitrary command to
run under the Exim
user privileges on the remote
system. If this argument is set then, it will enable the
smtp-vuln-cve2010-4344.exploit
argument.
Define the destination email address to be used.
The script will force the checks, and will try to exploit the Exim SMTP server.
Define the source email address to be used.
执行格式
nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587 <host> nmap --script=smtp-vuln-cve2010-4344 --script-args="exploit.cmd='uname -a'" -pT:25,465,587 <host>
PORT STATE SERVICE 25/tcp open smtp | smtp-vuln-cve2010-4344: | Exim heap overflow vulnerability (CVE-2010-4344): | Exim (CVE-2010-4344): VULNERABLE | Shell command 'uname -a': Linux qemu-ubuntu-x32 2.6.38-8-generic #42-Ubuntu SMP Fri Jan 21 17:40:48 UTC 2011 i686 GNU/Linux | Exim privileges escalation vulnerability (CVE-2010-4345): | Exim (CVE-2010-4345): VULNERABLE | Before 'id': uid=121(Debian-exim) gid=128(Debian-exim) groups=128(Debian-exim),45(sasl) |_ After 'id': uid=0(root) gid=128(Debian-exim) groups=0(root)
Author: Djalal Harouni
License: VER007 整理 http://www.ver007.com