Ghost exploit metasploit module available

I wish I had this during the OSCP course.

A demonstration of remote code execution of the GHOST vulnerability, delivered as a standalone Metasploit module, is now available. The module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server.

About GHOST

The GHOST vulnerability can be triggered both locally and remotely via all the gethostbyname*() functions in the glibc library that is a core part of the Linux operating system.

The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. The bug was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.1. Unfortunately, it was not recognized as a security threat, and as a result, most stable and long-term-support distributions were left exposed, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04.

Qualys worked closely with Linux distribution vendors and released an advisory and blog post on January 27, 2015 in conjunction with patches for the major distributions available the same day. Qualys held this module until now to allow IT teams time to apply all necessary patches.

Demonstration of Exploit

This module enables Metasploit to get shell access, i.e. remote code execution, against an Exim mail server. If this module's "check" or "exploit" method determines that a remote system is vulnerable, it is also exploitable.

Source:
https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/03/17/ghost-remote-code-execution-exploit

Find more posts tagged with

Comments

NovaHax

I don't think it would have been a whole lot of help. You would have had to find a Linux system running the Mail web service with a non-standard build. Pretty specific conditions here:

SERVER-SIDE REQUIREMENTS (Exim)

The remote system must use a vulnerable version of the GNU C Library: the first exploitable version is glibc-2.6, the last exploitable version is glibc-2.17; older versions might be exploitable too, but this module depends on the newer versions' fd_nextsize (a member of the malloc_chunk structure) to remotely obtain the address of Exim's smtp_cmd_buffer in the heap.

The remote system must run the Exim mail server: the first exploitable version is exim-4.77; older versions might be exploitable too, but this module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably set up the heap as described in the GHOST advisory.

The remote Exim mail server must be configured to perform extra security checks against its SMTP clients: either the helo_try_verify_hosts or the helo_verify_hosts option must be enabled; the "verify = helo" ACL might be exploitable too, but is unpredictable and therefore not supported by this module.

MrAgent

I thought I remembered seeing a couple of the mail servers in the lab. They probably were not vulnerable anyway.